Overview
A critical Server-Side Template Injection (SSTI) vulnerability has been identified in Mautic, the widely deployed open-source marketing automation platform. Tracked as CVE-2026-9558 with a CVSS score of 9.9, the flaw exists in Mautic's Twig-powered theme rendering engine and allows authenticated users with theme upload or creation privileges to achieve arbitrary remote code execution on the underlying server.
The vulnerability was published on May 29, 2026, and organizations running Mautic instances should treat this as an urgent remediation priority.
Technical Details
Mautic uses the Twig templating engine to render custom themes. The core issue is that uploaded Twig templates are parsed and executed without a sandbox and without restricting Twig functions that can interact with the host environment. An attacker who can upload or create a theme can embed malicious Twig payloads to call PHP system functions, read files, or run OS commands.
SSTI flaws in Twig typically abuse the filter construct or direct function references to pass input to OS-level interpreters. Without sandboxing, any built-in PHP function becomes reachable from within the template context.
Because Mautic runs with web server privileges (commonly www-data on Linux), a successful injection can lead to:
- Full server compromise via shell access
- Credential theft from Mautic's database configuration files
- Lateral movement if the server has network access to internal systems
- Data exfiltration of marketing contacts, PII, and campaign data
Affected Components
| Component | Details |
|---|---|
| Platform | Mautic (open-source marketing automation) |
| Engine | Twig Template Engine (PHP) |
| Permission Required | Theme create/upload capability |
| Attack Vector | Network |
| Attack Complexity | Low |
| CVSS v3.1 Score | 9.9 (Critical) |
Who Is At Risk
Any organization running a Mautic instance where:
- Multiple users have administrator or campaign manager roles
- Third-party agencies or contractors have access to the Mautic dashboard
- The Mautic installation is internet-facing without additional WAF controls
Mautic is commonly deployed by marketing teams at SMBs, nonprofits, and enterprises as a self-hosted alternative to HubSpot or Mailchimp. Many installations grant broad permissions to non-technical marketing staff, which expands the attack surface considerably.
Remediation
- Apply the vendor patch immediately once released. Monitor the official Mautic security advisories page.
- Restrict theme upload permissions to a minimal set of trusted administrators until a patch is available.
- Audit existing themes for suspicious Twig constructs — particularly calls to PHP shell functions or Twig filter abuse patterns.
- Deploy a WAF rule to block common SSTI patterns in uploaded content.
- Review access logs for anomalous theme creation or upload activity, especially from unfamiliar IP addresses.
Indicators of Compromise
Review Mautic's application logs and your web server access logs for:
- Unexpected theme uploads or modifications in the admin panel
- HTTP requests to Mautic theme endpoints with large or encoded payloads
- Unusual outbound connections from the Mautic server (especially to external IPs)
- New system processes spawned under the web server user
References
- NVD: CVE-2026-9558
- Mautic Security Advisories: https://www.mautic.org/mautic-security-advisories
- Twig Sandbox Documentation: https://twig.symfony.com/doc/3.x/api.html#sandbox-extension