How is CVE-2026-9809 exploited?

Network reachability (required): The attacker must reach the Mautic administrative interface over the network. Authentication (required): A low-privilege account with permission to create or edit projects is sufficient. Victim interaction (required): An administrator must view an associated entity and hover over the malicious project tag to trigger the script. Attack complexity (info): Attack complexity is low: the payload fires reliably once an admin hovers the tag, with no race or environmental conditions.

What is the impact of CVE-2026-9809?

Executes arbitrary JavaScript in an authenticated administrator's browser session against the Mautic admin UI. Performs administrative actions on behalf of the victim, including altering system configurations and managing campaigns, emails, or forms. Reads sensitive data visible to the admin session and exfiltrates it to an attacker-controlled endpoint. Pivots across the scope boundary into other components rendered alongside the vulnerable popover.

Back to search

HIGHCVE-2026-9809Published 2026-05-29Modified 2026-05-29CNA Mautic

CVE-2026-9809: A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7

A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stored cross-site scripting (XSS) flaw exists in the Projects component of Mautic 7, where project names are rendered in administrative tag popovers without proper sanitization. An authenticated user with project edit rights can inject JavaScript that runs in an administrator's browser when they hover over the tag, letting the attacker act as the admin, change configurations, or exfiltrate sensitive data. A patched-image rebuild at Mautic 7.1.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Mautic images in customer registries and build pipelines, including custom-built derivatives. Coverage extends to internal images that layer Mautic 7.0.0 through 7.1.1.

Available

Triage

Triage is available with the published CVSS 3.1 score of 7.6 (High), reweighted per environment against each customer's compliance policy and asset criticality. Findings are routed to the appropriate inbox inside each customer org based on image ownership and workload tags.

Available

Patch

A patched-image rebuild at Mautic 7.1.2 is available on HarborGuard for environments running an affected version. Customers who opt into auto-remediation get the rebuilt image, a regression-test run, and a pull request opened against the workloads that reference the vulnerable image.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Mautic administrative interface over the network.
AuthenticationRequired
A low-privilege account with permission to create or edit projects is sufficient.
Victim interactionRequired
An administrator must view an associated entity and hover over the malicious project tag to trigger the script.
Attack complexityDetail
Attack complexity is low: the payload fires reliably once an admin hovers the tag, with no race or environmental conditions.

Blast Radius

Executes arbitrary JavaScript in an authenticated administrator's browser session against the Mautic admin UI.
Performs administrative actions on behalf of the victim, including altering system configurations and managing campaigns, emails, or forms.
Reads sensitive data visible to the admin session and exfiltrates it to an attacker-controlled endpoint.
Pivots across the scope boundary into other components rendered alongside the vulnerable popover.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Mautic 7.1.2 is published for environments running 7.0.0 through 7.1.1, and customers with auto-remediation enabled receive an automatic rebuild, a regression-test run, and a pull request against affected workloads. Median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy requires manual review, the patched image is staged and a triage ticket is opened for operator approval; in the interim, restricting project create/edit permissions to trusted users reduces exposure.

See how HarborGuard automates this

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: 7.1.2
Affected Products: 1

Fix available

7.1.2

Affected packages

unknown
< 7.1.2 (from 7.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

References

github.com

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available