HarborGuard / CVE
Back to search
CRITICALCVE-2026-9558Published Modified CNA Mautic

CVE-2026-9558: A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side template injection vulnerability in Mautic's theme engine lets authenticated users upload Twig templates that render without a sandbox, allowing arbitrary code execution on the host. It is reachable over the network and requires only a low-privilege account that can create or upload themes, after which the attacker achieves full remote code execution and access to restricted files. Patched-image rebuilds at 4.4.20, 5.2.11, 6.0.9, and 7.1.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against Mautic images in customer registries and CI pipelines, including custom-built derivatives that repackage Mautic.

Available
Triage

Triage is available with the published CVSS v3.1 score of 9.9 (Critical) weighted against each customer's compliance policy, and findings are routed to the appropriate inbox inside the customer org based on image ownership and workload tags.

Available
Patch

A patched-image rebuild at the matching fix line (4.4.20, 5.2.11, 6.0.9, or 7.1.2) becomes available on HarborGuard for affected environments. For customers who opt into auto-remediation, the rebuild is generated, regression-tested, and opened as a PR against workloads referencing the affected image.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Mautic web interface over the network (AV:N).

  • AuthenticationRequired

    A low-privilege Mautic account with theme create or upload permission is sufficient (PR:L).

  • Victim interactionNot required

    No user must click or open anything; the attacker triggers rendering directly (UI:N).

  • Attack complexityDetail

    Attack complexity is low: uploading a crafted Twig template reliably triggers execution without race conditions or environmental tuning (AC:L).

Blast Radius

  • Executes arbitrary code on the Mautic host as the web application user, giving shell-level control of the container.
  • Reads restricted system files, environment variables, database credentials, and Mautic configuration secrets.
  • Modifies or deletes Mautic data including contacts, campaigns, and stored templates by writing through the compromised process.
  • Disrupts or takes the Mautic service offline through destructive commands or resource exhaustion from the executed payload.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at 4.4.20, 5.2.11, 6.0.9, or 7.1.2 matched to the affected branch, with a regression run and a PR opened against workloads referencing the vulnerable image for environments where auto-remediation is enabled. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. Until the upgrade lands, restrict the Mautic theme create and upload permissions to a minimal set of trusted admin accounts and audit recent theme uploads for unexpected Twig constructs.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
4.4.20
Affected Products
1

Fix available

4.4.205.2.116.0.97.1.2
Affected packages
  • unknown
    < 4.4.20 (from 1.3.0) · < 5.2.11 (from 5.0.0) · < 6.0.9 (from 6.0.0) · < 7.1.2 (from 7.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References