This vulnerability involves improper neutralization of input in the Projects component of Mautic 7. Specifically, project names supplied by users are rendered without adequate sanitization in administrative detail views such as campaigns, emails, or forms. An attacker with authenticated access and project editing rights can inject stored XSS payloads. When an administrator views an entity linked to the compromised project and hovers over its tag, the malicious script executes in the administrator's browser context. This can lead to unauthorized administrative actions, configuration changes, or sensitive data exposure. The CVSS 3.1 base score is 7.6 (High), reflecting network attack vector, low attack complexity, required privileges, user interaction, and impact on confidentiality and integrity.

Successful exploitation allows an attacker with limited authenticated privileges to execute arbitrary scripts in the context of an administrative user's browser session. This can result in unauthorized administrative actions, alteration of system configurations, or exfiltration of sensitive information. There is no indication of impact on availability. No known exploits in the wild have been reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict project creation and editing permissions to trusted users only. Administrators should exercise caution when interacting with project tags and related UI elements. Monitor vendor channels for updates regarding patches or official mitigations.