Skip to content

mautic

v7.1.2 Security

This release includes 7 security fixes for security teams reviewing exposed deployments.

Published 6d Automation & Workflows
βœ“ No known CVEs patched
Read the diff β†’ Tool health β†’ What is this tool? β†’
This release patches 7 known CVEs

Topics

digital-experience-platform digitalexperienceplatform dxp email-marketing email-marketing-automation email-marketing-software
+4 more
marketing-automation marketing-tools mautic php

Affected surfaces

auth rbac rce_ssrf deps

ReleasePort's take

Strong signal
editorial:auto 6d

ReleasePort Layerβ€―1 versionβ€―7.1.2 resolves seven critical security vulnerabilities across API endpoints, components, and templates.

Why it matters: All CVEs (severityβ€―100) affect core surfaces; operators must upgrade immediately to prevent SQL injection, SSRF, SSTI, path traversal, auth bypass, and XSS attacks.

Summary

AI summary

Broad release touches πŸ”’ Security Fixes, πŸ› Bugs, πŸ€– DevOps Updates, and XSS.

Changes in this release

Security Critical

Fixes SQL Injection vulnerability CVE-2026-4776 in API contact filtering.

Fixes SQL Injection vulnerability CVE-2026-4776 in API contact filtering.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Server‑Side Request Forgery (SSRF) vulnerability CVE-2026-9557 in Mautic Focus Component.

Fixes Server‑Side Request Forgery (SSRF) vulnerability CVE-2026-9557 in Mautic Focus Component.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Server‑Side Template Injection (SSTI) vulnerability CVE-2026-9558 in Theme Templates.

Fixes Server‑Side Template Injection (SSTI) vulnerability CVE-2026-9558 in Theme Templates.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Path Traversal vulnerability CVE-2026-9559 via Campaign Import.

Fixes Path Traversal vulnerability CVE-2026-9559 via Campaign Import.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Authorization Bypass vulnerability CVE-2026-9808 in API v2 endpoints.

Fixes Authorization Bypass vulnerability CVE-2026-9808 in API v2 endpoints.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Stored Cross‑Site Scripting (XSS) vulnerability CVE-2026-9809 in Projects Component.

Fixes Stored Cross‑Site Scripting (XSS) vulnerability CVE-2026-9809 in Projects Component.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Security Critical

Fixes Stored Cross‑Site Scripting (XSS) vulnerability CVE-2026-9811 in Project Option Selector.

Fixes Stored Cross‑Site Scripting (XSS) vulnerability CVE-2026-9811 in Project Option Selector.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Dependency Medium

Updates vulnerable Composer dependencies for the 6.0 security phase.

Updates vulnerable Composer dependencies for the 6.0 security phase.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Bugfix Medium

Bumps CKEditor libraries to address issues.

Bumps CKEditor libraries to address issues.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Bugfix Medium

Handles adding points to deleted contacts correctly.

Handles adding points to deleted contacts correctly.

Source: llm_adapter@2026-05-28

Confidence: high

 β€”
Full changelog

Announcing Mautic 7.1.2: Aludra Edition

πŸ”’ Security Release

This release addresses several security vulnerabilities. We strongly advise updating your installation at your earliest convenience after performing a full backup and testing the upgrade in a staging environment.

πŸ”’ Security Fixes

  • CVE-2026-4776: SQL Injection in API Contact Filtering

    • Attribution: Reported by @Senku01 and @Harish4948. Fixed by @Senku01. Reviewed by @patrykgruszka.
    • Advisory: GHSA-fcmw-wx57-9p75

  • CVE-2026-9557: SSRF in the Mautic Focus Component

    • Attribution: Reported by @r1beirin and @dungNHVhust. Fixed by @patrykgruszka. Reviewed by @escopecz.
    • Advisory: GHSA-jmv8-8j9j-rcpc

  • CVE-2026-9558: Server-Side Template Injection (SSTI) in Theme Templates

    • Attribution: Reported by @onurcangnc, @xfer0, and @Entropt. Fixed by @onurcangnc. Reviewed by @escopecz and @patrykgruszka.
    • Advisory: GHSA-9fx4-7cmj-47vg

  • CVE-2026-9559: Path Traversal via Campaign Import

    • Attribution: Reported by @nglong05 and @f3nrir77. Fixed by @escopecz. Reviewed by @patrykgruszka.
    • Advisory: GHSA-6r9h-4h75-7q4x

  • CVE-2026-9808: Authorization Bypass in API v2 Endpoints

    • Attribution: Reported by @zerlyer and @pavelkohout396. Fixed by @escopecz. Reviewed by @patrykgruszka.
    • Advisory: GHSA-2jrw-c95w-h43g

  • CVE-2026-9809: Stored Cross-Site Scripting (XSS) in Projects Component

    • Attribution: Reported by @34selen. Fixed by @escopecz. Reviewed by @patrykgruszka.
    • Advisory: GHSA-7h65-whp7-rgqf

  • CVE-2026-9811: Stored Cross-Site Scripting (XSS) in Project Option Selector

    • Attribution: Reported by @pavelkohout396. Fixed by @escopecz. Reviewed by @patrykgruszka.
    • Advisory: GHSA-5hvg-w58j-545m

πŸ€– DevOps Updates

  • Update vulnerable Composer dependencies for 6.0 security phase (by @escopecz).

What's Changed

πŸ› Bugs

  • Bumping CK editor libraries by @escopecz in https://github.com/mautic/mautic/pull/16074
  • Handling adding points to deleted contacts by @escopecz in https://github.com/mautic/mautic/pull/16073
  • Register mautic:phpunit:config command in test environment only by @fedys in https://github.com/mautic/mautic/pull/16104
  • fix(grapesjs): avoid MJML reparse in HTML mode in source editor by @fujijin in https://github.com/mautic/mautic/pull/15971
  • Stabilizing a flaky test by @escopecz in https://github.com/mautic/mautic/pull/16134

New Contributors

  • @fujijin made their first contribution in https://github.com/mautic/mautic/pull/15971

πŸ’‘ Release Team & Sponsors

This release was made possible through the dedicated efforts of our community and supporters:

  • Release Leader: @patrykgruszka
  • Release Assistant: @escopecz
  • Sponsor: Special thanks to @leuchtfeuer for sponsoring this security release.

SHA1(7.1.2.zip)= 6da6aa5e2ad41d3f1a1f07788d05fd185e2e0fb3
SHA1(7.1.2-update.zip)= 584841094031c93229a9ebf144f92c34e35ffd26

Security Fixes

  • CVE-2026-4776 β€” SQL Injection in API Contact Filtering (GHSA-fcmw-wx57-9p75)
  • CVE-2026-9557 β€” SSRF in Mautic Focus Component (GHSA-jmv8-8j9j-rcpc)
  • CVE-2026-9558 β€” Server‑Side Template Injection in Theme Templates (GHSA-9fx4-7cmj-47vg)
  • CVE-2026-9559 β€” Path Traversal via Campaign Import (GHSA-6r9h-4h75-7q4x)
  • CVE-2026-9808 β€” Authorization Bypass in API v2 Endpoints (GHSA-2jrw-c95w-h43g)
  • CVE-2026-9809 β€” Stored XSS in Projects Component (GHSA-7h65-whp7-rgqf)
  • CVE-2026-9811 β€” Stored XSS in Project Option Selector (GHSA-5hvg-w58j-545m)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mautic

Get notified when new releases ship.

Sign up free

About mautic

Mautic: Open Source Marketing Automation Software.

All releases β†’

Related context

Related tools

Related CVEs

Beta — feedback welcome: [email protected]