Cross-Site Scripting Vulnerability in Mautic by Mautic
CVE-2025-9823

4.8MEDIUM

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 3 September 2025

What is CVE-2025-9823?

The Cross-Site Scripting vulnerability affects the 'Tags' input field on the /s/ajax?action=lead:addLeadTags endpoint of Mautic. In this flaw, user-generated input is reflected in the server's response without adequate sanitization, allowing attackers to run arbitrary JavaScript in the context of an authenticated user's session. This omission presents severe risks, including session hijacking and credential theft, as the executed JavaScript can manipulate web page content and redirect users to malicious sites. Despite server-side data sanitization, the immediate execution of payloads in the user's browser poses a significant threat to the application's security.

Affected Version(s)

Mautic >= 4.4.0 < 4.4.0

Mautic >= 5.0.0-alpha < 5.0.0-alpha

Mautic >= 6.0.0-alpha < 6.0.0-alpha

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Sep 2, 2025

Credit

nmmorette

kuzmany

patrykgruszka