This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalReleasePortβ―Layerβ―1 versionβ―5.2.11 patches three critical CVEs (SQL injection, SSRF, and serverβside template injection) and updates vulnerable Symfony and Composer dependencies.
Why it matters: CVE severity is high (severityβ―90); all deployments using API contact filtering, Mautic Focus component, or theme templates must patch immediately to prevent injection attacks.
Summary
AI summaryUpdates π Security Fixes, π€ DevOps Updates, and https://github.com/mautic/mautic/security/advisories/GHSA-fcmw-wx57-9p75 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes CVE-2026-4776 SQL injection in API contact filtering. Fixes CVE-2026-4776 SQL injection in API contact filtering. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Security | Critical |
Fixes CVE-2026-9557 SSRF vulnerability in Mautic Focus component. Fixes CVE-2026-9557 SSRF vulnerability in Mautic Focus component. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Security | Critical |
Fixes CVE-2026-9558 serverβside template injection in theme templates. Fixes CVE-2026-9558 serverβside template injection in theme templates. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Dependency | Medium |
Updates Symfony 5.4 components to latest security patch levels. Updates Symfony 5.4 components to latest security patch levels. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Dependency | Medium |
Updates vulnerable Composer dependencies for the 5.2 security phase. Updates vulnerable Composer dependencies for the 5.2 security phase. Source: llm_adapter@2026-05-28 Confidence: high |
β |
Full changelog
Announcing Mautic 5.2.11: Capella Edition
π Security Release
This release addresses several security vulnerabilities. We strongly advise updating your installation at your earliest convenience after performing a full backup and testing the upgrade in a staging environment.
π Security Fixes
-
CVE-2026-4776: SQL Injection in API Contact Filtering
- Attribution: Reported by @Senku01 and @Harish4948. Fixed by @Senku01. Reviewed by @patrykgruszka.
- Advisory: GHSA-fcmw-wx57-9p75
-
CVE-2026-9557: SSRF in the Mautic Focus Component
- Attribution: Reported by @r1beirin and @dungNHVhust. Fixed by @patrykgruszka. Reviewed by @escopecz.
- Advisory: GHSA-jmv8-8j9j-rcpc
-
CVE-2026-9558: Server-Side Template Injection (SSTI) in Theme Templates
- Attribution: Reported by @onurcangnc, @xfer0, and @Entropt. Fixed by @onurcangnc. Reviewed by @escopecz and @patrykgruszka.
- Advisory: GHSA-9fx4-7cmj-47vg
π€ DevOps Updates
- Refresh Symfony 5.4 components to latest security patch levels (by @escopecz).
- Update vulnerable Composer dependencies for the 5.2 security phase (by @escopecz).
π‘ Release Team & Sponsors
This release was made possible through the dedicated efforts of our community and supporters:
- Release Leader: @patrykgruszka
- Release Assistant: @escopecz
- Sponsor: Special thanks to @leuchtfeuer for sponsoring this security release.
Package Checksums
SHA1(5.2.11.zip)= b0874d0f14c73c5f106ba8131b887ff786a374c8
SHA1(5.2.11-update.zip)= da58e7aa3eda81999f0bd86b8a6bba4b2d21ed37
Security Fixes
- CVE-2026-4776 β SQL Injection in API Contact Filtering (GHSA-fcmw-wx57-9p75)
- CVE-2026-9557 β SSRF in Mautic Focus Component (GHSA-jmv8-8j9j-rcpc)
- CVE-2026-9558 β Server-Side Template Injection in Theme Templates (GHSA-9fx4-7cmj-47vg)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]