CVE-2026-9811: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
AI Analysis
Technical Summary
This vulnerability arises from improper neutralization of input (CWE-79) in Mautic 7.0.0's project selector component. Specifically, project names returned via AJAX are injected into the DOM as option fields without sanitization, enabling stored XSS attacks. An attacker with authenticated project creation rights can embed malicious JavaScript in project names. When other users with administrative privileges open entity editors that include the project selector, the injected script executes in their browser session, potentially compromising session integrity and data confidentiality. The CVSS 3.1 vector indicates network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary scripts in the context of administrative users' browsers. This can lead to session hijacking, unauthorized actions within the application, and exposure of sensitive organizational data accessible via the dashboard. The impact is limited to confidentiality and integrity with no direct availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict project creation permissions to trusted users only and consider monitoring for suspicious project names. Avoid opening entity editors containing the project selector with untrusted project data. Follow vendor updates closely for any forthcoming patches or mitigations.
CVE-2026-9811: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper neutralization of input (CWE-79) in Mautic 7.0.0's project selector component. Specifically, project names returned via AJAX are injected into the DOM as option fields without sanitization, enabling stored XSS attacks. An attacker with authenticated project creation rights can embed malicious JavaScript in project names. When other users with administrative privileges open entity editors that include the project selector, the injected script executes in their browser session, potentially compromising session integrity and data confidentiality. The CVSS 3.1 vector indicates network attack vector, low attack complexity, required privileges, user interaction, and partial impact on confidentiality and integrity.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary scripts in the context of administrative users' browsers. This can lead to session hijacking, unauthorized actions within the application, and exposure of sensitive organizational data accessible via the dashboard. The impact is limited to confidentiality and integrity with no direct availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict project creation permissions to trusted users only and consider monitoring for suspicious project names. Avoid opening entity editors containing the project selector with untrusted project data. Follow vendor updates closely for any forthcoming patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Mautic
- Date Reserved
- 2026-05-28T08:07:14.977Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a197d1ee29bf47b50e0e4c3
Added to database: 5/29/2026, 11:48:46 AM
Last enriched: 5/29/2026, 12:04:08 PM
Last updated: 5/29/2026, 6:10:08 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.