{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mautic-7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-9809"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mautic 7"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","mautic","cve"],"_cs_type":"advisory","_cs_vendors":["Mautic"],"content_html":"\u003cp\u003eA significant stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-9809) has been discovered in the Projects component of Mautic version 7. This flaw permits an authenticated attacker with permissions to create or edit projects to inject arbitrary malicious JavaScript into project names. When these unsanitized project names are subsequently rendered in administrative detail views (such as campaigns or forms) and an administrative user hovers over the associated project tag or popover, the injected script executes within the victim's browser context. This could lead to session hijacking, unauthorized administrative actions, modification of system configurations, or exfiltration of sensitive organizational data. The vulnerability specifically affects Mautic versions 7.0.0 through 7.1.1 and has been addressed in version 7.1.2. Mautic 6.x, 5.x, and 4.x branches are not impacted as they do not include the Projects feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains legitimate, authenticated access to a Mautic 7 instance with permissions to create or modify projects.\u003c/li\u003e\n\u003cli\u003eUsing the Mautic administrative interface, the attacker navigates to the project creation or editing functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new project or modifies an existing one, injecting a malicious script payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.domain)\u0026lt;/script\u0026gt;\u003c/code\u003e) into the project name field.\u003c/li\u003e\n\u003cli\u003eMautic stores this unsanitized project name, including the malicious script, in its backend database.\u003c/li\u003e\n\u003cli\u003eA victim administrative user accesses an administrative detail view (e.g., a campaign or email detail page) that displays entities associated with the compromised project.\u003c/li\u003e\n\u003cli\u003eAs the victim user hovers their mouse cursor over the malicious project's tag or a related popover on the administrative detail page, the unsanitized project name is rendered client-side.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code, embedded within the project name, executes within the victim's web browser in the context of their Mautic session.\u003c/li\u003e\n\u003cli\u003eThe executed script hijacks the victim's session, exfiltrates sensitive information, performs unauthorized administrative actions, or alters system configurations on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9809 grants attackers the ability to execute arbitrary JavaScript code within the context of an unsuspecting administrative user's Mautic session. This direct access to the victim's browser session allows for significant consequences including, but not limited to, session hijacking, exfiltration of sensitive data, unauthorized modification of Mautic's system configurations, or even complete administrative control over the Mautic instance. While no specific victim counts or sectors are detailed, any organization utilizing Mautic 7 (versions 7.0.0 to 7.1.1) for marketing automation is vulnerable to these severe data integrity and confidentiality risks if an authenticated user with project management permissions is compromised or malicious.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-9809\u003c/strong\u003e by upgrading all Mautic 7 installations to version 7.1.2 or later immediately.\u003c/li\u003e\n\u003cli\u003eRestrict project creation and modification permissions to only highly trusted administrative users within your Mautic instance to mitigate the risk until patching is complete.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:32:44Z","date_published":"2026-07-03T11:32:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mautic-xss/","summary":"A high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-9809, affects Mautic 7's Projects component, allowing an authenticated user with project creation/edit permissions to inject malicious script payloads into project names that execute when an administrative user hovers over affected project tags, potentially leading to administrative actions, configuration alteration, or sensitive data exfiltration.","title":"Mautic Stored XSS in Projects Component (CVE-2026-9809)","url":"https://feed.craftedsignal.io/briefs/2026-07-mautic-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Mautic 7","version":"https://jsonfeed.org/version/1.1"}