CVE-2026-9811: Mautic 7 Stored XSS Vulnerability

CVE-2026-9811 Overview

CVE-2026-9811 is a stored Cross-Site Scripting (XSS) vulnerability in the project selector component of Mautic 7. The application fails to sanitize project names returned via AJAX before injecting them into the Document Object Model (DOM) as option fields. An authenticated user with project creation permissions can store a malicious script payload in a project name. When another administrative user opens an entity editor containing the project selector, the script executes in their browser session. The flaw is tracked under CWE-79.

Critical Impact
A low-privileged authenticated attacker can hijack administrator sessions, perform unauthorized state changes, or access organizational data within the Mautic dashboard.

Affected Products

Mautic 7 (project selector component)
Deployments where multiple users share administrative interfaces
Instances permitting low-privilege users to create projects

Discovery Timeline

2026-05-29 - CVE-2026-9811 published to the National Vulnerability Database (NVD)
2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-9811

Vulnerability Analysis

The vulnerability resides in the project selector rendering logic of Mautic 7. The component requests project records via AJAX and inserts the returned name field into <option> elements without output encoding. Because the project name is treated as trusted HTML rather than text content, an attacker-controlled string containing script tags or event-handler attributes executes when the browser parses the rendered selector.

The attack scope crosses a security boundary. The malicious payload is stored by one authenticated user but triggered in another user's session, typically an administrator opening an entity editor that lists projects. Exploitation requires the victim to interact with the affected interface, which is a routine administrative task.

Successful execution runs in the context of the victim's authenticated session. The attacker can issue requests to Mautic on behalf of the administrator, read DOM content including session-scoped data, or pivot to other administrative functions exposed to that user.

Root Cause

The root cause is missing output sanitization of user-supplied project names during DOM injection. The selector concatenates raw values from the AJAX response into HTML rather than assigning them through safe APIs such as textContent or applying HTML entity encoding for &, <, >, ", and '.

Attack Vector

The attack vector is network-based and requires low privileges plus victim interaction. An attacker with project-creation rights stores a payload such as a script-bearing project name. The payload remains dormant until an administrative user opens any entity editor that populates the project selector via AJAX, at which point the script executes within the administrator's authenticated session.

No verified exploit code is publicly available. See the GitHub Security Advisory GHSA-5hvg-w58j-545m for vendor-confirmed technical details.

Detection Methods for CVE-2026-9811

Indicators of Compromise

Project name fields in the Mautic database containing HTML tags such as <script>, <img onerror=...>, or javascript: URIs.
AJAX responses from project listing endpoints returning unsanitized HTML in the name attribute.
Browser console errors or unexpected outbound requests originating from administrative pages that render the project selector.
Audit log entries showing project creation by accounts that subsequently exhibit no normal project activity.

Detection Strategies

Run database queries against the Mautic project table searching for control characters, angle brackets, or on*= event handlers within name columns.
Add Content Security Policy (CSP) reporting endpoints to capture inline-script violations triggered by stored payloads.
Inspect web server access logs for repeated POST or PATCH requests to project endpoints originating from low-privileged accounts.

Monitoring Recommendations

Monitor administrator browser sessions for anomalous API calls issued shortly after opening entity editors.
Alert on creation or modification of project records containing non-alphanumeric characters outside an approved set.
Track authentication anomalies such as new API tokens or password resets initiated from administrative sessions.

How to Mitigate CVE-2026-9811

Immediate Actions Required

Apply the Mautic security update referenced in GHSA-5hvg-w58j-545m as soon as it is available.
Audit existing project names and remove or rename any entries containing HTML or script syntax.
Restrict project creation permissions to trusted users until the patch is deployed.
Force re-authentication and rotate session cookies for administrative accounts that may have been exposed.

Patch Information

Refer to the Mautic GitHub Security Advisory GHSA-5hvg-w58j-545m for the fixed version and patch commit. Apply vendor updates following standard change-control procedures and validate the project selector renders project names as inert text after upgrading.

Workarounds

Enforce a strict Content Security Policy that blocks inline scripts and disallows unsafe-inline for the Mautic interface.
Temporarily disable project-selector rendering in custom views, or replace AJAX-loaded option lists with server-rendered, escaped templates.
Apply a web application firewall (WAF) rule that strips HTML metacharacters from project name parameters submitted to Mautic endpoints.
Limit administrative dashboard access to a hardened network segment to reduce session theft impact.

bash

# Example Content Security Policy header for Mautic web server
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'; report-uri /csp-report" always;