pkg:Packagist/mautic/core

50 total CVEsCRITICAL6HIGH15MEDIUM22LOW2

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2018-8092CSV Injection vulnerability with exported contact lists in Mautic
    from 0, < 2.13.0
  • CRITICAL9.6CVE-2020-35125Mautic is vulnerable to XSS vulnerability
    from 0, < 2.16.5
  • CRITICAL9.6CVE-2022-25772Cross-site Scripting vulnerability in Mautic's tracking pixel functionality
    from 0, < 4.3.0
  • CRITICAL9.1CVE-2024-47051Mautic allows Remote Code Execution and File Deletion in Asset Uploads
    from 0, < 5.2.3
  • CRITICAL9.0CVE-2020-35129Mautic stored Cross-site Scripting (XSS)
    from 0, < 3.2.4
  • CRITICAL9.0CVE-2020-35128Mautic stored Cross-site Scripting (XSS)
    >= 3.2.0, < 3.2.4
  • HIGH8.8CVE-2017-8874Mautic Cross-Site Request Forgery (CSRF)
  • HIGH8.3CVE-2022-25776Mautic Sensitive Data Exposure due to inadequate user permission settings
    >= 1.0.2, < 4.4.12
  • HIGH8.3CVE-2021-27911XSS vulnerability on contacts view
    from 0, < 3.3.4
  • HIGH8.2CVE-2021-27910Stored XSS vulnerability on Bounce Management Callback
    from 0, < 3.3.4
  • HIGH8.1CVE-2021-27916Mautic vulnerable to Relative Path Traversal / Arbitrary File Deletion due to GrapesJS builder
    >= 3.3.0, < 4.4.12
  • HIGH8.1CVE-2017-1000489Disabled users able to log in with third party SSO plugin
    >= 2.0.0, < 2.12.0
  • HIGH7.8CVE-2022-25770Mautic has insufficient authentication in upgrade flow
    >= 1.0.0-beta3, < 4.4.13
  • HIGH7.7CVE-2024-47053Mautic allows Improper Authorization in Reporting API
    >= 1.0.1, < 5.2.3
  • HIGH7.6CVE-2026-3105Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting
    >= 2.10.0, < 5.2.10
  • HIGH7.6CVE-2021-27915Mautic vulnerable to stored cross-site scripting in description field
    >= 1.0.0-beta2, < 4.4.12
  • HIGH7.5CVE-2017-1000046Sensitive Cookie Without HttpOnly and Secure Flag
    from 0, < 2.1.1
  • HIGH7.5CVE-2018-10189Mautic Sessions could be hijacked due to tracking contacts by an auto-incremented ID
    from 0, < 2.13.0
  • HIGH7.3CVE-2021-27917Mautic has an XSS in contact tracking and page hits report
    >= 1.0.0-beta4, < 4.4.13
  • HIGH7.1CVE-2021-27912XSS vulnerability on asset view
    from 0, < 3.3.4
  • HIGH7.0CVE-2022-25768Mautic vulnerable to Improper Access Control in UI upgrade process
    >= 1.1.3, < 4.4.13
  • MEDIUM6.6CVE-2022-25775Mautic SQL Injection in dynamic Reports
    >= 2.14.1, < 4.4.12
  • MEDIUM6.5CVE-2025-5257Mautic's Predictable Page Indexing Might Lead to Sensitive Data Exposure
    >= 4.0.0, < 4.4.16
  • MEDIUM6.5CVE-2022-25777Mautic: MST-48 Server-Side Request Forgery in Asset section
    >= 1.0.0-beta4, < 4.4.12
  • MEDIUM6.5CVE-2017-1000490Mautic users able to download any files from server using filemanager
    >= 1.0.0, < 2.12.0
  • MEDIUM6.3CVE-2021-27909XSS vulnerability on password reset page
    from 0, < 3.3.4
  • MEDIUM6.1CVE-2017-1000506Mautic Cross Site Scripting (XSS) vulnerability
    from 0, < 2.14.2
  • MEDIUM6.1CVE-2018-11200XSS vulnerability in company name field in Mautic
    from 0, < 2.14.0
  • MEDIUM6.1CVE-2017-1000488Inline JS XSS vulnerability in Mautic
    >= 2.1.0, < 2.12.0
  • MEDIUM6.1CVE-2018-8071XSS vulnerability in theme config file in Mautic
    from 0, < 2.13.0
  • MEDIUM6.1CVE-2018-11198XSS vulnerability in Author URL of themes in Mautic
    >= 2.13.1, < 2.14.0
  • MEDIUM5.9CVE-2025-9824Mautic Vulnerable to User Enumeration via Response Timing
    >= 4.4.0, < 4.4.17
  • MEDIUM5.8CVE-2021-27908Mautic vulnerable to secret data exfiltration via symfony parameters
    from 0, < 3.3.2
  • MEDIUM5.5CVE-2025-9822Mautic vulnerable to secret data extraction via elfinder
    >= 4.4.0, < 4.4.17
  • MEDIUM5.4CVE-2025-5256Mautic has an Open Redirect vulnerability on user unlock path.
    >= 1.0.0, < 4.4.16
  • MEDIUM5.4CVE-2024-47050Mautic vulnerable to XSS in contact/company tracking (no authentication)
    >= 2.6.0, < 4.4.13
  • MEDIUM5.3CVE-2024-47057Mautic allows user name enumeration due to response time difference on password reset form
    >= 1.0.0, < 4.4.16
  • MEDIUM5.1CVE-2024-47056Mautic does not shield .env files from web traffic
    >= 4.4.0, < 4.4.16
  • MEDIUM4.8CVE-2024-47058Mautic vulnerable to Cross-site Scripting (XSS) - stored (edit form HTML field)
    >= 5.0.0-alpha, < 5.1.1
  • MEDIUM4.8CVE-2022-25774Mautic vulnerable to cross-site scripting in notifications via saving Dashboards
    from 0, < 4.4.12
  • MEDIUM4.3CVE-2024-47055Mautic segment cloning doesn't have a proper permission check
    >= 5.0.0-alpha, < 5.2.6
  • MEDIUM4.3CVE-2022-25773Mautic allows Relative Path Traversal in assets file upload
    from 0, < 5.2.3
  • MEDIUM4.3CVE-2024-47059Mautic allows users enumeration due to weak password login
    >= 5.1.0, < 5.1.1
  • LOW3.5CVE-2021-27913Use of a Broken or Risky Cryptographic Algorithm
    from 0, < 3.3.4
  • LOW2.7CVE-2025-9821Mautic vulnerable to SSRF via webhook function
    >= 4.4.0, < 4.4.17
  • CVE-2025-13828Mautic user without privileged access to the Marketplace can install and uninstall composer packages
    >= 4.0.0, < 4.4.18
  • CVE-2025-9823Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
    >= 4.4.0, < 4.4.17
  • CVE-2022-25769Improper regex in htaccess file
    from 0, < 3.3.5
  • CVE-2021-3142XSS in Mautic
    >= 3.0.0, < 3.2.4
  • CVE-2020-35124XSS vulnerability leveraged through referrers could allow un-authorized admin access in Mautic
    >= 3.0.0, < 3.2.4