Mautic Mautic
37 CVEs affecting Mautic Mautic. Latest disclosed: 2026-02-24. Critical: 1, High: 13.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-25772 | Critical | 9.6 | 2022-06-20 | A cross-site scripting (XSS) vulnerability in the web tracking component of Mautic before 4.3.0 allows remote attackers to inject executable javascript |
CVE-2022-25776 | High | 8.3 | 2024-09-18 | Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from accessing. Users could… |
CVE-2021-27911 | High | 8.3 | 2021-08-30 | Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's de… |
CVE-2021-27910 | High | 8.2 | 2021-08-30 | Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted i… |
CVE-2021-27916 | High | 8.1 | 2024-09-17 | Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion. Regardless of the level of access th… |
CVE-2022-25770 | High | 7.8 | 2024-09-18 | Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. Th… |
CVE-2026-3105 | High | 7.6 | 2026-02-24 | SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query co… |
CVE-2021-27915 | High | 7.6 | 2024-09-17 | Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in use… |
CVE-2021-27914 | High | 7.6 | 2022-06-01 | A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript |
CVE-2017-1000046 | High | 7.5 | 2017-07-17 | Mautic 2.6.1 and earlier fails to set flags on session cookies |
CVE-2021-27917 | High | 7.3 | 2024-09-18 | Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report. |
CVE-2022-25769 | High | 7.2 | 2024-09-18 | ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the applicatio… |
CVE-2021-27912 | High | 7.1 | 2021-08-30 | Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken… |
CVE-2022-25768 | High | 7.0 | 2024-09-18 | The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to t… |
CVE-2022-25775 | Medium | 6.6 | 2024-09-18 | Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and al… |
CVE-2025-5257 | Medium | 6.5 | 2025-05-28 | SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially in… |
CVE-2022-25777 | Medium | 6.5 | 2024-09-18 | Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application due to a Server-Side… |
CVE-2021-27909 | Medium | 6.3 | 2021-08-30 | For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL coul… |
CVE-2025-9824 | Medium | 5.9 | 2025-09-03 | ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after whi… |
CVE-2021-27908 | Medium | 5.8 | 2021-03-23 | In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging… |