GHSA-JMV8-8J9J-RCPC
Vulnerability from github – Published: 2026-07-02 19:47 – Updated: 2026-07-02 19:48Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (MauticFocusBundle). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server.
Impact
An authenticated user with access to the Mautic panel can exploit this vulnerability to perform internal port probing or force the server to initiate requests to external or arbitrary internal destinations. This can enable internal network reconnaissance or mapping of firewalled infrastructure.
Patched Versions
This security issue has been fixed in the following releases: * 7.1.2 * 6.0.9 * 5.2.11 * 4.4.20 ELTS
Mautic strongly recommend upgrading to the latest version corresponding to your release branch.
Workarounds
There are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets/local hosts is recommended.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9557"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T19:47:38Z",
"nvd_published_at": "2026-05-29T11:16:17Z",
"severity": "MODERATE"
},
"details": "### Summary\nA Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (`MauticFocusBundle`). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server.\n\n### Impact\nAn authenticated user with access to the Mautic panel can exploit this vulnerability to perform internal port probing or force the server to initiate requests to external or arbitrary internal destinations. This can enable internal network reconnaissance or mapping of firewalled infrastructure.\n\n### Patched Versions\nThis security issue has been fixed in the following releases:\n* **7.1.2**\n* **6.0.9**\n* **5.2.11**\n* **4.4.20** [ELTS](https://mautic.org/extended-long-term-support-elts/)\n\nMautic strongly recommend upgrading to the latest version corresponding to your release branch.\n\n### Workarounds\nThere are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets/local hosts is recommended.",
"id": "GHSA-jmv8-8j9j-rcpc",
"modified": "2026-07-02T19:48:27Z",
"published": "2026-07-02T19:47:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-jmv8-8j9j-rcpc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9557"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mautic Focus component Vulnerable to SSRF"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.