Path Traversal Vulnerability in Mautic Campaign Import Feature
CVE-2026-9559

9.9CRITICAL

Key Information:

Status
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-9559?

In Mautic version 7, the campaign import feature contains a critical path traversal vulnerability. This flaw occurs during the extraction of uploaded ZIP files, where inadequate validation allows file paths to escape designated temporary directories. An authenticated user granted campaign import privileges can exploit this vulnerability to write arbitrary PHP files to sensitive system directories. Successful exploitation could lead to the overwriting of critical internal configuration files or cache components, potentially allowing remote code execution within the context of the web server user, posing significant security risks.

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 26, 2026

Credit

Nguyễn Văn Long (@nglong05)

@f3nrir77

John Linhart (@escopecz)

Patryk Gruszka (@patrykgruszka)

Leuchtfeuer Digital Marketing (@Leuchtfeuer)

CVE-2026-9559 Data

JSON