Arbitrary Package Installation Vulnerability in Mautic by Mautic
CVE-2025-13828

9CRITICAL

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-13828?

A vulnerability exists in the Mautic platform where a non-privileged user can install and remove arbitrary packages via Composer. This issue arises even when the 'enable composer-based updates' option is disabled in the update settings. As a result, attackers could exploit this flaw to install malicious code, potentially allowing them to escalate privileges within the system. This presents a significant security risk, as unauthorized code execution can lead to further exploitation and compromise of the affected systems.

Affected Version(s)

Mautic <4.4.18, <5.2.9, <6.0.7

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Dec 1, 2025

Credit

Jason Woods (driskell)

Jan Linhart (escopecz)

Patryk Gruszka (patrykgruszka)

JSON