This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalMauticβ―6.0.9 patches three critical security flaws: SQL injection in API contact filtering, SSRF in the Mautic Focus component, and SSTI in theme templates.
Why it matters: CVEs CVE-2026-4776, CVE-2026-9557, and CVE-2026-9558 each have severityβ―90; all deployments should upgrade to versionβ―6.0.9 immediately.
Summary
AI summaryUpdates π Security Fixes, π€ DevOps Updates, and Announcing Mautic 6.0.9 across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes SQL injection vulnerability in API contact filtering (CVE-2026-4776). Fixes SQL injection vulnerability in API contact filtering (CVE-2026-4776). Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Security | Critical |
Fixes Server-Side Request Forgery (SSRF) vulnerability in Mautic Focus component (CVE-2026-9557). Fixes Server-Side Request Forgery (SSRF) vulnerability in Mautic Focus component (CVE-2026-9557). Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Security | Critical |
Fixes ServerβSide Template Injection (SSTI) vulnerability in theme templates (CVE-2026-9558). Fixes ServerβSide Template Injection (SSTI) vulnerability in theme templates (CVE-2026-9558). Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Dependency | Low |
Updates vulnerable Composer dependencies for 6.0 security phase. Updates vulnerable Composer dependencies for 6.0 security phase. Source: llm_adapter@2026-05-28 Confidence: high |
β |
Full changelog
Announcing Mautic 6.0.9
π Security Release
This release addresses several security vulnerabilities. We strongly advise updating your installation at your earliest convenience after performing a full backup and testing the upgrade in a staging environment.
π Security Fixes
-
CVE-2026-4776: SQL Injection in API Contact Filtering
- Attribution: Reported by @Senku01 and @Harish4948. Fixed by @Senku01. Reviewed by @patrykgruszka.
- Advisory: GHSA-fcmw-wx57-9p75
-
CVE-2026-9557: SSRF in the Mautic Focus Component
- Attribution: Reported by @r1beirin and @dungNHVhust. Fixed by @patrykgruszka. Reviewed by @escopecz.
- Advisory: GHSA-jmv8-8j9j-rcpc
-
CVE-2026-9558: Server-Side Template Injection (SSTI) in Theme Templates
- Attribution: Reported by @onurcangnc, @xfer0, and @Entropt. Fixed by @onurcangnc. Reviewed by @escopecz and @patrykgruszka.
- Advisory: GHSA-9fx4-7cmj-47vg
π€ DevOps Updates
- Update vulnerable Composer dependencies for 6.0 security phase (by @escopecz).
π‘ Release Team & Sponsors
This release was made possible through the dedicated efforts of our community and supporters:
- Release Leader: @patrykgruszka
- Release Assistant: @escopecz
- Sponsor: Special thanks to @leuchtfeuer for sponsoring this security release.
Package Checksums
SHA1(6.0.9.zip)= 9062b0812321a37301a5d44e6b8ee70667bb04a7
SHA1(6.0.9-update.zip)= 5af03f548e27b3d03002a9ebd5d741e5cdad8518
Security Fixes
- CVE-2026-4776 β SQL Injection in API Contact Filtering (GHSA-fcmw-wx57-9p75)
- CVE-2026-9557 β SSRF in the Mautic Focus Component (GHSA-jmv8-8j9j-rcpc)
- CVE-2026-9558 β ServerβSide Template Injection in Theme Templates (GHSA-9fx4-7cmj-47vg)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]