Arbitrary File Upload Vulnerability in Mautic's GrapesJS Builder
CVE-2025-13827

8.8HIGH

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-13827?

Mautic's GrapesJS Builder contains a vulnerability that allows an attacker to upload arbitrary files, as there are no restrictions on the types of files that can be processed. If the media folder is not restricted from executing uploaded files, this flaw can be exploited to achieve remote code execution, potentially compromising the affected system. It is crucial for users and administrators to ensure appropriate measures are taken to secure the media directory and mitigate risks associated with this vulnerability.

Affected Version(s)

Mautic <4.4.18, <5.2.9, <6.0.7

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Dec 1, 2025

Credit

Jason Woods (driskell)

Patryk Gruszka (patrykgruszka)

Jan Linhart (escopecz)

Jason Woods (driskell)

JSON