Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9809

CVE-2026-9809: Mautic 7 Stored XSS Vulnerability

CVE-2026-9809 is a stored XSS vulnerability in Mautic 7's Projects component that allows authenticated users to inject malicious scripts. Attackers can perform admin actions and steal data. This guide covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-9809 Overview

CVE-2026-9809 is a stored Cross-Site Scripting (XSS) vulnerability in the Projects component of Mautic 7. The flaw occurs when project tags and popovers are rendered on administrative detail views such as campaigns, emails, and forms. User-supplied project names are displayed without proper output sanitization, allowing injected scripts to execute in an administrator's browser context. The issue is tracked under CWE-79 and is documented in the GitHub Security Advisory GHSA-7h65-whp7-rgqf.

Critical Impact

An authenticated low-privilege user can inject JavaScript via project names that executes when administrators hover over project tags, enabling session hijacking, configuration tampering, and data exfiltration.

Affected Products

  • Mautic 7 (Projects component)
  • Administrative detail views for campaigns, emails, and forms
  • Installations permitting authenticated users to create or edit projects

Discovery Timeline

  • 2026-05-29 - CVE-2026-9809 published to NVD
  • 2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-9809

Vulnerability Analysis

The vulnerability resides in how the Mautic 7 Projects component renders project metadata. When project tags and popovers appear on administrative detail views, the application emits stored project name values directly into HTML without contextual output encoding. An attacker with permission to create or edit projects supplies a project name containing a script payload. That payload persists in the database and is later executed in the browser of any administrator who views an associated entity and hovers over the project tag.

Exploitation requires the attacker to hold an authenticated account with project create or edit permissions. The script runs with the privileges of the viewing administrator, making this a stored, second-order attack against high-value users. Successful exploitation can be leveraged to perform administrative actions, alter system configurations, or exfiltrate sensitive marketing automation data.

Root Cause

The root cause is missing output sanitization on user-controlled project name fields. The template layer that renders tags and popovers trusts stored input rather than applying HTML entity encoding, which is the canonical defense for CWE-79 in HTML body and attribute contexts.

Attack Vector

The attack vector is network-based and requires user interaction. A low-privilege authenticated attacker injects a malicious payload into a project name. The payload is stored and later rendered for any administrator who navigates to a campaign, email, or form linked to the compromised project. Hovering over the tag triggers the popover rendering path and executes the script. The scope is changed, meaning the injected script impacts the administrative user's session beyond the attacker's original authorization boundary.

No verified public exploit code is available. Refer to the Mautic security advisory for technical details.

Detection Methods for CVE-2026-9809

Indicators of Compromise

  • Project name fields containing HTML tags, <script> elements, on* event handler attributes, or javascript: URIs.
  • Unexpected outbound requests from administrator browsers to attacker-controlled domains following access to campaign, email, or form detail views.
  • Audit log entries showing project creation or edits by low-privilege users immediately preceding administrative configuration changes.

Detection Strategies

  • Query the Mautic database for project name values matching XSS signatures such as angle brackets, encoded script tags, or event handler attribute names.
  • Inspect web server and application logs for HTTP requests writing unusual payloads to project endpoints under /s/projects.
  • Deploy a Content Security Policy (CSP) report-only endpoint to capture inline script violations on administrative views.

Monitoring Recommendations

  • Alert on changes to administrator accounts, API tokens, or integration credentials that follow project edits by non-administrative users.
  • Monitor browser-side anomalies such as unexpected XHR or fetch calls originating from Mautic admin pages.
  • Forward Mautic application logs to a centralized data lake and apply detection rules for stored XSS patterns in user-supplied fields.

How to Mitigate CVE-2026-9809

Immediate Actions Required

  • Upgrade Mautic 7 to the fixed release identified in the GHSA-7h65-whp7-rgqf advisory as soon as the patched version is available in your environment.
  • Audit existing project records for suspicious names containing HTML or script syntax and sanitize or remove them.
  • Restrict project create and edit permissions to trusted user roles until the patch is applied.

Patch Information

The Mautic project has published the fix and remediation guidance in the GitHub Security Advisory GHSA-7h65-whp7-rgqf. Administrators should apply the upgrade through their standard Mautic deployment process and verify the Projects component renders project names with proper HTML entity encoding after patching.

Workarounds

  • Revoke project create and edit permissions from non-administrative roles until patching is complete.
  • Deploy a strict Content Security Policy that disallows inline scripts on administrative routes to limit payload execution.
  • Place the Mautic administrative interface behind a web application firewall rule that blocks requests containing script tags or event handler attributes in project name parameters.
bash
# Example CSP header for Mautic administrative responses
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne