ZeroPath at Black Hat USA 2026

Mautic CVE-2026-9558: Brief Summary of Critical SSTI to RCE in the Theme Engine

A brief summary of CVE-2026-9558, a critical (CVSS 9.9) Server-Side Template Injection vulnerability in Mautic's theme engine that allows authenticated users to achieve Remote Code Execution through unsandboxed Twig template rendering.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-29

Mautic CVE-2026-9558: Brief Summary of Critical SSTI to RCE in the Theme Engine
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A fundamental architectural gap in Mautic's theme engine allows authenticated users to achieve full Remote Code Execution on the hosting server by uploading crafted Twig templates that the platform renders without any sandbox restrictions. With a CVSS score of 9.9 and over 40,000 websites running Mautic across 85 countries, CVE-2026-9558 represents a significant exposure for organizations relying on this platform for marketing automation.

Mautic is the world's first open source marketing automation platform, founded in 2014 and acquired by Acquia in 2019. It serves as the leading open source alternative to proprietary platforms like HubSpot and Marketo, and has been officially recognized as a Digital Public Good. The platform's broad adoption across marketing departments, many of which lack dedicated security teams, makes this vulnerability particularly relevant.

Technical Information

Root Cause: Unsandboxed Twig Template Rendering

CVE-2026-9558 is classified under CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine. According to MITRE, this CWE applies when a product "uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine."

Mautic uses the Twig templating engine (a PHP based template engine) to render theme templates. The core issue is that Mautic passes user supplied template content directly to the Twig rendering engine without enabling Twig's sandbox extension or imposing strict function restrictions. This means any Twig directive embedded in a theme template is evaluated with the full capabilities of the Twig engine, including access to PHP internals.

CVSS Vector Decomposition

The CVSS v3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over TCP/IP
Attack Complexity (AC)LowNo special conditions required
Privileges Required (PR)LowAuthenticated user with minimal rights
User Interaction (UI)NoneNo victim action needed
Scope (S)ChangedImpact crosses trust boundary to hosting server
Confidentiality (C)HighFull system file access possible
Integrity (I)HighArbitrary code execution possible
Availability (A)HighServer can be fully compromised

The Scope Changed component is particularly important: exploitation of the Mautic application can compromise the underlying hosting server itself, not merely the application. Containerized or shared hosting deployments where the server hosts other workloads face an amplified blast radius.

Attack Flow

The exploitation sequence, based on the GitHub advisory, proceeds as follows:

  1. Authentication: The attacker obtains an authenticated Mautic session with the core:themes:create permission. In typical deployments, this permission is granted to administrators and designated theme designers, but misconfigured installations may extend it more broadly.

  2. Theme Upload: The attacker uploads or creates a theme containing a Twig template file with malicious directives embedded in {{ }} expression blocks.

  3. Template Processing: When Mautic renders the theme, it processes the template through Twig without enabling the sandbox extension.

  4. Object Graph Traversal: Twig evaluates the injected directives, allowing the attacker to traverse the PHP object graph. Common techniques include accessing _self.env.registerUndefinedFilterCallback or similar Twig internals to reach PHP execution functions.

  5. Code Execution: The attacker ultimately calls system(), exec(), or similar PHP functions, achieving arbitrary operating system command execution with the privileges of the web server process.

This attack pattern, Server-Side Template Injection leading to RCE via Twig, is well documented. James Kettle's foundational Black Hat research paper established the exploitation methodology, noting that "unsafely embedding user input in templates enables Server-Side Template Injection, a vulnerability class which can be exploited to inject arbitrary code into the server-side template engine."

The same pattern has been demonstrated in other platforms:

  • Kimai (GHSA-fjhg-96cp-6fcw): "a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities"
  • Grav CMS (GHSA-662m-56v4-3r8f): "SSTI vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute" arbitrary code

Dual Impact: RCE and File Access

Beyond Remote Code Execution, the advisory explicitly notes the vulnerability can also be leveraged to "access restricted system files and configuration settings." Even without achieving code execution, an attacker can use Twig's file system functions (such as file_get_contents accessible through the unsandboxed engine) to read sensitive files including /etc/passwd, database configuration files, Mautic's local.php configuration, and environment variables. This information leakage alone can enable lateral movement, credential theft, and further compromise.

Affected Systems and Versions

Based on the GitHub advisory, all Mautic versions prior to the following patched releases are affected:

Mautic BranchPatched VersionSupport Tier
7.x7.1.2Current stable
6.x6.0.9Supported
5.x5.2.11Supported
4.x4.4.20Extended Long Term Support (ELTS)

Any Mautic installation running a version older than the patched release for its branch is vulnerable. Organizations on versions older than 4.x have no patched release available and must upgrade to a supported branch.

The vulnerability specifically affects installations where any user holds the core:themes:create permission, which grants the ability to create or upload themes. Any Mautic instance exposing an admin or theme authoring interface to the network is at risk.

Vendor Security History

Mautic's security history reveals a recurring pattern of critical vulnerabilities, particularly those enabling Remote Code Execution. CVE-2026-9558 is at least the third critical RCE class vulnerability in Mautic in a two year span:

CVE/AdvisoryYearSeverityVulnerability TypeAuthentication Required
CVE-2026-9558 (GHSA-9fx4-7cmj-47vg)2026Critical (9.9)SSTI in Twig theme templates leading to RCEAuthenticated (core:themes:create)
GHSA-73gx-x7r9-77x22025CriticalRCE and file deletion in asset uploadsAuthenticated
CVE-2024-470512025CriticalArbitrary file upload leading to RCEAuthenticated (low privilege)
CVE-2024-470532025HighAuthorization bypass in HTTP Basic AuthUnauthenticated
Unauthenticated XSS to RCE chain (pre 3.2.4)2021CriticalXSS chain leading to RCEUnauthenticated

CVE-2024-47051 is particularly relevant as a precedent. SonicWall documented that "this vulnerability arises due to a logical flaw in the sanitization process of the file upload functionality," and a public proof of concept exploit was published on GitHub demonstrating that "an authenticated attacker can write arbitrary PHP code inside the web directory." The existence of public exploit code for a prior Mautic RCE vulnerability increases the likelihood that CVE-2026-9558 will also receive public exploit tooling.

The pattern across these vulnerabilities is clear: each exploits a different input handling surface (asset uploads, file uploads, template rendering), but the underlying issue is a systemic weakness in input validation and code execution barriers within the platform's architecture. Mautic's security team does respond with patches across all supported branches and publishes detailed advisories, but the frequency of critical findings suggests architectural rather than isolated flaws.

Horizon3.ai published a detailed technical writeup on the unauthenticated XSS to RCE chain, and the Belgium Cybersecurity Centre (CCB) issued an advisory on Mautic's authorization vulnerabilities, indicating that national level cyber authorities are tracking Mautic as a risk vector.

Threat Intelligence Context

As of the publication date (May 29, 2026), no evidence was found that CVE-2026-9558 is being actively exploited in the wild. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities catalog, and no threat intelligence reports specifically reference exploitation of this CVE.

However, several factors suggest that active exploitation is probable in the near term:

Detailed public advisory: The GitHub advisory explicitly describes the vulnerability mechanism (Twig templates without sandbox), the attack requirement (core:themes:create permission), and the impact (RCE), providing sufficient information for an experienced attacker to develop a working exploit.

Precedent of public exploit code: As noted above, CVE-2024-47051 received a full public PoC on GitHub shortly after disclosure. The same pattern is likely given the similar attack surface.

Large target population: With over 40,000 websites running Mautic across 85 countries, the target population is substantial. Many of these are marketing departments that may not have dedicated security teams or rapid patching cycles.

Time to exploit compression: According to Mondoo's 2026 State of Vulnerabilities report, "2025 saw 48K+ CVEs published (21% YoY growth), 193K malware packages, and time-to-exploit collapsed to just 5 days." The window between CVE publication and weaponized exploitation is shrinking industry wide.

SSTI as a broader trend: CVE-2026-9558 is not an isolated incident. Server-Side Template Injection through Twig and other engines has emerged as a significant vulnerability class across multiple web applications in 2025 and 2026:

  • Craft CMS: Authenticated RCE via Twig SSTI (March 2026)
  • Grav CMS: SSTI through Twig sandbox bypass (December 2025)
  • JumpServer: SSTI in YAML processing leading to RCE (March 2026)
  • Infiniflow RAGFlow: SSTI leading to RCE (March 2026)

This cluster suggests that template engine security is a systemic blind spot across the PHP and Python web application ecosystem. Attackers who develop SSTI exploitation tooling for one platform can readily adapt it to others using the same engine, making Mautic a likely target.

Closing Analysis

The contrast between Mautic's responsive patching (covering four release branches simultaneously) and the recurring discovery of new RCE vectors reveals a fundamental tension. The security team is reactive and thorough, but the platform's architecture, which allows user supplied code to reach execution contexts without sufficient sandboxing, continues to produce new critical findings. Until Mautic adopts a default deny approach to code execution in user controllable surfaces (sandboxed Twig rendering, strict file upload allowlists, and template content validation), further critical CVEs are probable.

The advisory explicitly states that no official workaround exists. The only interim mitigation is restricting the core:themes:create permission to highly trusted administrators. Organizations that cannot immediately upgrade should audit and lock down theme creation permissions, review all installed custom themes for suspicious Twig directives, and consider running Mautic in a containerized environment with restricted OS level privileges to limit the blast radius of successful exploitation.

The absence of active exploitation at time of publication should not delay action. Given the detailed public advisory, the large install base, prior public exploit code for a related Mautic RCE, and the industry wide compression of time to exploit to approximately 5 days, the window for pre emptive patching is measured in days, not weeks.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization