Mautic Twig SSTI RCE, CVE-2026-9558 (CVSS 9.9), Fixed in 7.1.2 / 6.0.9 / 5.2.11 / 4.4.20 with 7 CVEs Bundled

blog/Articles/Mautic Hit by Twig-Theme SSTI RCE: CVE-2026-9558, Bundled May Patch Fixes 7 CVEs

News Updated today

Makoto Horikawa

Backend Engineer / AWS / Django

2026.05.299 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

CVE-2026-9558 (CVSS 9.9) in Mautic, the open-source marketing automation platform, lets authenticated users with theme-upload permission execute arbitrary code via Twig SSTI: themes were rendered without a sandbox. Fixed in 7.1.2 / 6.0.9 / 5.2.11 / 4.4.20 (ELTS), with six more CVEs (SQLi, SSRF, path traversal, authz bypass, stored XSS x2) shipped in the same May 28, 2026 release. ~18,000 live sites and a growing Japanese B2B marketing footprint backed by Acquia Japan.

Mautic, the open-source marketing-automation platform, lets an authenticated administrator who can upload themes (the design package for emails and landing pages) execute arbitrary code on the host. The CVSS score is 9.9 (Critical), the CVE ID is CVE-2026-9558, and the fix shipped on May 28, 2026 across four branches simultaneously: 7.1.2 / 6.0.9 / 5.2.11 / 4.4.20 (ELTS).

At first glance this reads like a single SSTI (Server-Side Template Injection) bug. The real weight is that seven CVEs were bundled into the same release: SQL injection, SSRF, path traversal, an API authorization bypass, two stored XSS, and the Twig SSTI in this story. A month's worth of vulnerabilities arrived compressed into one update.

Mautic is positioned as the self-hosted, open-source equivalent of HubSpot or Marketo, with development led by Acquia (the company behind Drupal) since the 2019 acquisition. WebTechSurvey counts 18,483 live sites running Mautic, and the GitHub repository has 7.9k stars. B2B teams running their own email-and-lead-management stack on Mautic are exactly the audience this article addresses.

What Happened — At-a-Glance Table

The points to settle first, in one table. Use this to decide whether your Mautic instance is exposed to the combination that triggers the bug.

Item	Detail
CVE	CVE-2026-9558
CVSS	9.9 (Critical, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CWE	CWE-1336 (Improper neutralization in template engines)
Product	Mautic (both the open-source edition and Acquia Marketing Cloud)
Affected versions	7.x: < 7.1.2 6.x: < 6.0.9 5.x: < 5.2.11 4.4.x: < 4.4.20 (ELTS)
Patch release date	May 28, 2026 (four branches at once)
Preconditions	Authenticated user with `core:themes:create` permission
What gets taken on success	Arbitrary code execution as the web-server process = full Mautic takeover
Bundled CVEs in release	7 total (SSTI/SQLi/SSRF/ Path Traversal/Authz Bypass/ Stored XSS x2)
Workaround	None official (mitigation: restrict theme permissions to trusted administrators)

Because the attack requires authentication and a specific permission, the CVSS vector carries PR:L. But the analysis rated Scope as Changed — the attack reaches well beyond the vulnerable component itself — and the final score climbed to 9.9. The math is telling you that the moment Mautic itself falls, the contact databases, the verified sending domain, and the integration tokens to downstream CRMs ride out in the same compromise.

What Mautic Is — The Open-Source HubSpot

Mautic is a self-hosted marketing automation (MA) platform that bundles email sending, landing-page building, campaign automation, lead scoring, and behavioral tracking in a single Symfony-based PHP application. You can run it on your own server or on AWS or Acquia.

It started as an independent open-source project in 2014. In 2019, Acquia — the US company founded by Drupal creator Dries Buytaert — acquired it, and the open-source edition has continued in parallel with Acquia Marketing Cloud ever since. The pitch against HubSpot or Marketo is cost: where the SaaS competitors run from several thousand to tens of thousands of dollars a month, a self-hosted Mautic stack typically lands at roughly $100–150/month at 50k contacts.

The theme feature at the center of this bug is how Mautic loads the visual shell of emails and landing pages: a custom ZIP package that an administrator uploads through the Theme Manager. The template engine is Symfony's standard Twig. That ingestion path had no sandbox protection — that is the root cause of the CVE.

Who Wants This Bug, and What They Walk Off With

When the precondition is "authenticated, with theme-creation permission," the first instinct is to picture an insider scenario. But MA platforms have a structural quirk: theme-edit permission tends to be sprinkled widely — to marketing assistants, to outside agency staff, to seasonal accounts that wake up only for the quarterly big push. This is who buys access to that boundary, how they probe it, and what they remove from your environment.

The people who want this bug on their price list are business email compromise crews who want to reuse a sending domain that has already passed SPF, DKIM, and DMARC at scale; East European credential resellers who want to package the prospect lists of pharma, financial-services, and recruiting customers for a name broker; ransomware affiliates who want to pivot off OAuth tokens linking Mautic to Salesforce or HubSpot to reach the CRM itself; and access brokers who want to sell, by the month, the simple fact that "this agency holds theme-edit credentials across thirty customer tenants" as initial access. Once any of them gets a single Mautic foothold, the same session lifts out: the customer database (email, name, behavior history, lead score), every subscriber's opt-in consent log, the reputation profile of the corporate sending domain and IP, the API keys for Salesforce / HubSpot / Zoho integrations, the signing keys for SMTP relays like SendGrid or SES, and the draft of next quarter's flagship campaign sitting in the editor. The instant CVE-2026-9558 is triggered, that whole stack walks out the door.

Reconnaissance is mechanically cheap on MA platforms. Mautic exposes telltale paths like /index.php/s/login and /mtc/login, so a single Shodan or Censys query for "Mautic Login" surfaces production instances worldwide. Read the deployment guides published by integration partners and you find sentences like "give the marketing assistant role theme-create permission so they can edit email templates" — which hands attackers a blueprint that points straight at seasonal accounts, off-boarded employees, and outside template designers as the cheapest credential-stuffing targets. The CISA KEV catalog already contains a prior Mautic RCE entry (CVE-2024-47051), yet very few SOCs include Mautic in their external monitoring or patch-tracking rotation.

CVSS 9.9 is the technical severity of one Mautic container losing its process privileges. For the marketing team and the IT operations team, the actual losses are the deliverability reputation of a sending domain you have spent five years warming up, the trust of the hundreds of thousands of opt-in subscribers who joined your nurture sequences, the deal history and proposal copies you have synced into Salesforce, and the brand credibility that lets a recipient look at the From-address and decide that this email is real. The worst variant is when this bug fires the week before an annual flagship campaign — that quarter's revenue forecast disappears with the sending-domain reputation.

Three-Layer Reach Table

Cross-referencing Mautic deployment patterns against what CVE-2026-9558 reaches and what it does not. Use this to make your self-assessment quickly.

Deployment pattern	In reach via CVE-2026-9558	Out of reach (needs another CVE/route)
Self-hosted SMB B2B marketing team	○ Mautic web-server 　process privileges ○ Entire contact DB ○ Opt-in consent logs ○ SendGrid/SES 　API secrets	× Co-located ERP DB × Corp AD/Entra ID × Host OS root 　(needs privesc)
Agency / SI multi-tenant SaaS hosting of multiple customers	○ Lateral movement 　across all co-tenants ○ Cross-tenant 　draft visibility ○ Shared-proxy 　Salesforce credentials	× Customer-specific 　external CRMs × Agency back-office 　(depends on net split)
Acquia Marketing Cloud managed hosting (commercial)	○ RCE within 　tenant scope ○ Themes, templates, 　contact lists	× Acquia control plane × Cross-tenant pivot 　(depends on isolation) ＊ Vendor patch SLA 　varies

The agency / SI multi-tenant pattern is the worst case. When one agency account can edit every customer tenant horizontally, a single missed security bulletin can chain into the loss of every customer's Mautic in one night. Agency operators should treat "produce a horizontal table of customer Mautic versions" as a tonight-or-tomorrow-morning task.

Inside CVE-2026-9558 — Twig Ran Without a Sandbox

The technical root of this CVE comes down to one line: Mautic rendered uploaded Twig templates without a sandbox and without strict function restrictions. The official GitHub Security Advisory (GHSA-9fx4-7cmj-47vg) phrases it directly: "The platform renders uploaded Twig templates without a sandbox or strict function restrictions."

Twig provides a SandboxExtension precisely for this kind of input. The standard practice when you evaluate user-supplied templates is to constrain them to a whitelist of allowed tags, filters, and method calls. Without that constraint, classic sandbox-bypass payloads — for example {{ _self.env.registerUndefinedFilterCallback("system") }} or function-style calls such as {{ ['id']|map('system') }} — run as written, and the PHP process executes the resulting system command. This is the textbook SSTI case reproduced verbatim inside Mautic.

The entry point in the Mautic role model is the core:themes:create permission. According to the Mautic role documentation, this permission governs creating and uploading themes. In practice it is handed out widely — to designers, to marketing assistants, to outsourced template shops — because someone needs to edit the email visuals. It is rarely scoped to a single privileged administrator.

The attack chain reads like this: pick up one account that has theme-creation permission (credential stuffing, phishing, an off-boarded employee that nobody removed, a contractor account whose laptop got popped), upload a theme ZIP with a Twig payload inside, preview or apply it, and at render time the Twig expression evaluates and an arbitrary command runs. With no sandbox to bypass, even the textbook payloads work as-is.

The Seven CVEs in This Release

CVE-2026-9558 is not the only fix in this release (7.1.2 / 6.0.9 / 5.2.11 / 4.4.20). Pulling the patches listed in the Mautic Community 7.1.2 (Aludra Edition) release notes gives seven CVEs in total.

CVE	Class	Location	Precondition
CVE-2026-9558 CVSS 9.9	SSTI (template-injection RCE)	Theme template rendering (Twig)	Authenticated + core:themes:create
CVE-2026-4776	SQL Injection	API contact filtering	API token with access
CVE-2026-9557	SSRF	Mautic Focus component	Focus edit permission
CVE-2026-9559	Path Traversal	Campaign import	Campaign edit permission
CVE-2026-9808	Authz bypass	API v2 endpoints	Low-priv API token
CVE-2026-9809	Stored XSS	Projects component	Project edit permission
CVE-2026-9811	Stored XSS	Project Option Selector	Project edit permission

Five of the seven start from an authenticated low-privilege user. In MA-platform deployments, outside agencies, contract designers, and seasonal-campaign staff routinely receive "go ahead, take project-edit permission" or "here is an API token" provisioning. The accurate read is not "one CVE you patch and you are done" — it is "after the foothold, several lateral paths are already wide open."

CVE-2026-9558: Twig SSTI in Theme Templates (CVSS 9.9)

The main act of this article; details are above. The GHSA is GHSA-9fx4-7cmj-47vg. Reporters: onurcangnc, xfer0, Entropt. Remediation reviewers from the Mautic core team: patrykgruszka, escopecz.

CVE-2026-4776: SQL Injection in API Contact Filtering

External-system searches against Mautic contacts let user input reach the filter clauses. The GHSA is GHSA-fcmw-wx57-9p75. If the API token used by your CRM-integration script is compromised, the entire contact database walks out.

CVE-2026-9557: SSRF in Mautic Focus

Mautic Focus is the standard component for showing pop-ups, banners, and notification bars to site visitors. SSRF was found there. The GHSA is GHSA-jmv8-8j9j-rcpc. On cloud deployments, the canonical pivot via the 169.254.169.254 metadata endpoint to instance-role credentials becomes available.

CVE-2026-9559: Path Traversal in Campaign Import

The campaign-definition JSON import accepts attachment paths without proper validation. The GHSA is GHSA-6r9h-4h75-7q4x. A relative path like ../../app/config/local.php reaches configuration files.

CVE-2026-9808: API v2 Authorization Bypass

v2 endpoints that should require Manager or higher were callable with low-privilege tokens. The GHSA is GHSA-2jrw-c95w-h43g. On its own this is more of an information-exposure issue; combined with CVE-2026-9558, you can draw a chain of "one API key → forge a low-privilege token → escalate to theme-create permission → fire the SSTI."

CVE-2026-9809 / CVE-2026-9811: Stored XSS in Projects (Two Bugs)

Project names and option-selector values accept injected script. The GHSAs are GHSA-7h65-whp7-rgqf and GHSA-5hvg-w58j-545m. Neither delivers RCE on its own, but as the entry point to lift an administrator's session token the moment they open a tampered project, they pair naturally with the authz-bypass or SSTI to start a longer chain.

Affected-Version Quick Reference — What to Install on Which Branch

Mautic operates an LTS / ELTS regime, so production deployments fragment across four branch lineages. Here is the patch version each lineage needs and the support status behind it.

Branch	Who's on it	Patch to install	Support status
7.x (latest)	Teams on the April 2026 7.0 / 7.1 line	7.1.2 (Aludra Edition)	Active support
6.0 LTS (Tabit Edition)	Teams running the 6.0 line on long-term tracks	6.0.9	LTS (through Sep 2026)
5.2 LTS (Capella Edition)	Teams still on the January 2024 5.x line	5.2.11	LTS (final security release)
4.4 (ELTS: paid)	Teams running the 2022 build on PHP 7.4-8.0	4.4.20 (ELTS subscribers only)	Paid ELTS (through Dec 2026) ~$4,000 / 2 years
Pre-4.x	Teams sitting on the 3.x / 2.x line	No official patch (major upgrade required)	EOL (community support ended)

The trap here is that 4.4.20 is only available to paying ELTS subscribers. Mautic ELTS is a paid program at roughly $4,000 for two years (corporate-member discounts available). Teams that kept 4.4 frozen "because we cannot afford to retest under PHP 8.x" do not get the upstream patch unless they have an ELTS contract. The realistic choice becomes either expedite the move to 5.2.11, or sign an ELTS contract.

Five Actions to Take Now

Given the "authenticated + specific permission" precondition, plain patch installation does not close the story. An audit of how widely the permission is handed out belongs in the same work block.

Upgrade the relevant branch immediately. 7.x → 7.1.2, 6.x → 6.0.9, 5.x → 5.2.11. ELTS subscribers go to 4.4.20. Pre-4.x: decide tonight to abandon the freeze and move to 5.2.11.
Audit accounts holding theme-create permission. In Settings > Roles, list every role that carries core:themes:create and shrink the set to people who genuinely need it. Revoke for outside designers, off-boarded staff, and seasonal accounts immediately.
Diff-audit recently uploaded theme ZIPs. Grep every theme uploaded in the last 30 days for suspicious strings (_self, env, getFunction, map(, etc.). If you were already hit, a planted Twig expression may still be sitting in the theme directory.
Audit API tokens. As a paired response to CVE-2026-4776 (API SQLi) and CVE-2026-9808 (API v2 authz bypass), enumerate all active API tokens and revoke the unused ones. Reissue any keys used by CRM-integration scripts after the upgrade.
Log review for unauthorized administrators. Check the last 30 days for admin role changes, new user creations, and theme uploads from unfamiliar IP addresses. If you run on Acquia or a managed host, pair this with the vendor's security log review.

For teams that want to keep watching this category of OSS supply-chain incident continuously, pairing the OSS Supply-Chain Scanner with the CISA KEV Dashboard (Japanese edition) raises the coverage of external monitoring.

Timeline — How the May Security Batch Came Together

The major events leading to this release, laid out chronologically. You can follow the path from the small bug-fix releases three months ago to the May bundle that compresses a month of vulnerabilities into one update.

← Swipe to navigate

Bottom Line

CVE-2026-9558 is the result of Mautic rendering uploaded theme Twig templates without a sandbox, allowing any authenticated user with theme-creation permission to execute arbitrary code on the server. The CVSS 9.9 score is the formal expression — through Scope:Changed — of a familiar reality: the moment one Mautic instance falls, the contact database behind it, the integration tokens reaching out to your CRM, and the warmed-up reputation of your sending domain go down in the same compromise.

Seven CVEs ride in this same release; five of them start from an authenticated low-privilege user. In MA-platform shops, outside agencies, contract designers, and seasonal accounts routinely receive wide permissions, so the response cannot stop at patching binaries — pair it with an audit of the core:themes:create permission distribution and a reissue of API tokens. Teams running 4.4 without an ELTS subscription do not receive the upstream fix at all and need to make their move to 5.2.11 right now.

The reasons B2B marketing teams picked Mautic were "self-hosted at a tenth of HubSpot's cost" and "we needed custom form requirements HubSpot would not handle." The trade is that the monthly four-branch security bundle gets chased by a marketer rather than by a SOC. Check your Mautic version tonight and put the migration to the patched release on a calendar entry that cannot be moved.