Introduction
A fundamental architectural gap in Mautic's theme engine allows authenticated users to achieve full Remote Code Execution on the hosting server by uploading crafted Twig templates that the platform renders without any sandbox restrictions. With a CVSS score of 9.9 and over 40,000 websites running Mautic across 85 countries, CVE-2026-9558 represents a significant exposure for organizations relying on this platform for marketing automation.
Mautic is the world's first open source marketing automation platform, founded in 2014 and acquired by Acquia in 2019. It serves as the leading open source alternative to proprietary platforms like HubSpot and Marketo, and has been officially recognized as a Digital Public Good. The platform's broad adoption across marketing departments, many of which lack dedicated security teams, makes this vulnerability particularly relevant.
Technical Information
Root Cause: Unsandboxed Twig Template Rendering
CVE-2026-9558 is classified under CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine. According to MITRE, this CWE applies when a product "uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine."
Mautic uses the Twig templating engine (a PHP based template engine) to render theme templates. The core issue is that Mautic passes user supplied template content directly to the Twig rendering engine without enabling Twig's sandbox extension or imposing strict function restrictions. This means any Twig directive embedded in a theme template is evaluated with the full capabilities of the Twig engine, including access to PHP internals.
CVSS Vector Decomposition
The CVSS v3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| CVSS Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over TCP/IP |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | Low | Authenticated user with minimal rights |
| User Interaction (UI) | None | No victim action needed |
| Scope (S) | Changed | Impact crosses trust boundary to hosting server |
| Confidentiality (C) | High | Full system file access possible |
| Integrity (I) | High | Arbitrary code execution possible |
| Availability (A) | High | Server can be fully compromised |
The Scope Changed component is particularly important: exploitation of the Mautic application can compromise the underlying hosting server itself, not merely the application. Containerized or shared hosting deployments where the server hosts other workloads face an amplified blast radius.
Attack Flow
The exploitation sequence, based on the GitHub advisory, proceeds as follows:
-
Authentication: The attacker obtains an authenticated Mautic session with the
core:themes:createpermission. In typical deployments, this permission is granted to administrators and designated theme designers, but misconfigured installations may extend it more broadly. -
Theme Upload: The attacker uploads or creates a theme containing a Twig template file with malicious directives embedded in
{{ }}expression blocks. -
Template Processing: When Mautic renders the theme, it processes the template through Twig without enabling the sandbox extension.
-
Object Graph Traversal: Twig evaluates the injected directives, allowing the attacker to traverse the PHP object graph. Common techniques include accessing
_self.env.registerUndefinedFilterCallbackor similar Twig internals to reach PHP execution functions. -
Code Execution: The attacker ultimately calls
system(),exec(), or similar PHP functions, achieving arbitrary operating system command execution with the privileges of the web server process.
This attack pattern, Server-Side Template Injection leading to RCE via Twig, is well documented. James Kettle's foundational Black Hat research paper established the exploitation methodology, noting that "unsafely embedding user input in templates enables Server-Side Template Injection, a vulnerability class which can be exploited to inject arbitrary code into the server-side template engine."
The same pattern has been demonstrated in other platforms:
- Kimai (GHSA-fjhg-96cp-6fcw): "a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities"
- Grav CMS (GHSA-662m-56v4-3r8f): "SSTI vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute" arbitrary code
Dual Impact: RCE and File Access
Beyond Remote Code Execution, the advisory explicitly notes the vulnerability can also be leveraged to "access restricted system files and configuration settings." Even without achieving code execution, an attacker can use Twig's file system functions (such as file_get_contents accessible through the unsandboxed engine) to read sensitive files including /etc/passwd, database configuration files, Mautic's local.php configuration, and environment variables. This information leakage alone can enable lateral movement, credential theft, and further compromise.
Affected Systems and Versions
Based on the GitHub advisory, all Mautic versions prior to the following patched releases are affected:
| Mautic Branch | Patched Version | Support Tier |
|---|---|---|
| 7.x | 7.1.2 | Current stable |
| 6.x | 6.0.9 | Supported |
| 5.x | 5.2.11 | Supported |
| 4.x | 4.4.20 | Extended Long Term Support (ELTS) |
Any Mautic installation running a version older than the patched release for its branch is vulnerable. Organizations on versions older than 4.x have no patched release available and must upgrade to a supported branch.
The vulnerability specifically affects installations where any user holds the core:themes:create permission, which grants the ability to create or upload themes. Any Mautic instance exposing an admin or theme authoring interface to the network is at risk.
Vendor Security History
Mautic's security history reveals a recurring pattern of critical vulnerabilities, particularly those enabling Remote Code Execution. CVE-2026-9558 is at least the third critical RCE class vulnerability in Mautic in a two year span:
| CVE/Advisory | Year | Severity | Vulnerability Type | Authentication Required |
|---|---|---|---|---|
| CVE-2026-9558 (GHSA-9fx4-7cmj-47vg) | 2026 | Critical (9.9) | SSTI in Twig theme templates leading to RCE | Authenticated (core:themes:create) |
| GHSA-73gx-x7r9-77x2 | 2025 | Critical | RCE and file deletion in asset uploads | Authenticated |
| CVE-2024-47051 | 2025 | Critical | Arbitrary file upload leading to RCE | Authenticated (low privilege) |
| CVE-2024-47053 | 2025 | High | Authorization bypass in HTTP Basic Auth | Unauthenticated |
| Unauthenticated XSS to RCE chain (pre 3.2.4) | 2021 | Critical | XSS chain leading to RCE | Unauthenticated |
CVE-2024-47051 is particularly relevant as a precedent. SonicWall documented that "this vulnerability arises due to a logical flaw in the sanitization process of the file upload functionality," and a public proof of concept exploit was published on GitHub demonstrating that "an authenticated attacker can write arbitrary PHP code inside the web directory." The existence of public exploit code for a prior Mautic RCE vulnerability increases the likelihood that CVE-2026-9558 will also receive public exploit tooling.
The pattern across these vulnerabilities is clear: each exploits a different input handling surface (asset uploads, file uploads, template rendering), but the underlying issue is a systemic weakness in input validation and code execution barriers within the platform's architecture. Mautic's security team does respond with patches across all supported branches and publishes detailed advisories, but the frequency of critical findings suggests architectural rather than isolated flaws.
Horizon3.ai published a detailed technical writeup on the unauthenticated XSS to RCE chain, and the Belgium Cybersecurity Centre (CCB) issued an advisory on Mautic's authorization vulnerabilities, indicating that national level cyber authorities are tracking Mautic as a risk vector.
Threat Intelligence Context
As of the publication date (May 29, 2026), no evidence was found that CVE-2026-9558 is being actively exploited in the wild. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities catalog, and no threat intelligence reports specifically reference exploitation of this CVE.
However, several factors suggest that active exploitation is probable in the near term:
Detailed public advisory: The GitHub advisory explicitly describes the vulnerability mechanism (Twig templates without sandbox), the attack requirement (core:themes:create permission), and the impact (RCE), providing sufficient information for an experienced attacker to develop a working exploit.
Precedent of public exploit code: As noted above, CVE-2024-47051 received a full public PoC on GitHub shortly after disclosure. The same pattern is likely given the similar attack surface.
Large target population: With over 40,000 websites running Mautic across 85 countries, the target population is substantial. Many of these are marketing departments that may not have dedicated security teams or rapid patching cycles.
Time to exploit compression: According to Mondoo's 2026 State of Vulnerabilities report, "2025 saw 48K+ CVEs published (21% YoY growth), 193K malware packages, and time-to-exploit collapsed to just 5 days." The window between CVE publication and weaponized exploitation is shrinking industry wide.
SSTI as a broader trend: CVE-2026-9558 is not an isolated incident. Server-Side Template Injection through Twig and other engines has emerged as a significant vulnerability class across multiple web applications in 2025 and 2026:
- Craft CMS: Authenticated RCE via Twig SSTI (March 2026)
- Grav CMS: SSTI through Twig sandbox bypass (December 2025)
- JumpServer: SSTI in YAML processing leading to RCE (March 2026)
- Infiniflow RAGFlow: SSTI leading to RCE (March 2026)
This cluster suggests that template engine security is a systemic blind spot across the PHP and Python web application ecosystem. Attackers who develop SSTI exploitation tooling for one platform can readily adapt it to others using the same engine, making Mautic a likely target.
Closing Analysis
The contrast between Mautic's responsive patching (covering four release branches simultaneously) and the recurring discovery of new RCE vectors reveals a fundamental tension. The security team is reactive and thorough, but the platform's architecture, which allows user supplied code to reach execution contexts without sufficient sandboxing, continues to produce new critical findings. Until Mautic adopts a default deny approach to code execution in user controllable surfaces (sandboxed Twig rendering, strict file upload allowlists, and template content validation), further critical CVEs are probable.
The advisory explicitly states that no official workaround exists. The only interim mitigation is restricting the core:themes:create permission to highly trusted administrators. Organizations that cannot immediately upgrade should audit and lock down theme creation permissions, review all installed custom themes for suspicious Twig directives, and consider running Mautic in a containerized environment with restricted OS level privileges to limit the blast radius of successful exploitation.
The absence of active exploitation at time of publication should not delay action. Given the detailed public advisory, the large install base, prior public exploit code for a related Mautic RCE, and the industry wide compression of time to exploit to approximately 5 days, the window for pre emptive patching is measured in days, not weeks.
References
- NVD: CVE-2026-9558
- GitHub Advisory: GHSA-9fx4-7cmj-47vg (Server-Side Template Injection in Theme Templates)
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
- Mautic Security Page
- Mautic GitHub Security Policy
- James Kettle: Server-Side Template Injection: RCE for the Modern Web App (Black Hat)
- Kimai SSTI to RCE Advisory (GHSA-fjhg-96cp-6fcw)
- Grav CMS SSTI Sandbox Bypass Advisory (GHSA-662m-56v4-3r8f)
- Craft CMS Twig SSTI Advisory (GHSA-94rc-cqvm-m4pw)
- JumpServer SSTI Advisory (GHSA-qx8h-rx2j-j5wc)
- Infiniflow RAGFlow SSTI Advisory (GHSA-vvwj-fvwh-4whx)
- Mautic RCE and File Deletion in Asset Uploads (GHSA-73gx-x7r9-77x2)
- SonicWall: Critical Mautic Vulnerability CVE-2024-47051
- Horizon3.ai: Unauthenticated XSS to RCE Chain in Mautic
- Public PoC for CVE-2024-47051 (mallo-m)
- NVD: CVE-2024-47053
- Belgium CCB Advisory on Mautic Authorization Vulnerabilities
- Acquia Acquires Mautic
- Mautic: 10 Years of Community-Powered Marketing Automation
- CISA Known Exploited Vulnerabilities Catalog
- Mondoo: 2026 State of Vulnerabilities Report



