Every CVE whose affected-product data names Acquia Mautic, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (35)
CVE-2020-35124 — CVSS 9.6 (critical): A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable…
CVE-2020-35125 — CVSS 9.6 (critical): A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable…
CVE-2022-25772 — CVSS 9.6 (critical): A cross-site scripting (XSS) vulnerability in the web tracking component of Mautic before 4.3.0 allows remote attackers to inject…
CVE-2024-47051 — CVSS 9.1 (critical): This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be…
CVE-2020-35128 — CVSS 9.0 (critical): Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other…
CVE-2017-8874 — CVSS 8.8 (high): Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for…
CVE-2021-27911 — CVSS 8.3 (high): Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when…
CVE-2022-25776 — CVSS 8.3 (high): Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from…
CVE-2021-27910 — CVSS 8.2 (high): Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function…
CVE-2017-1000489 — CVSS 8.1 (high): Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address
CVE-2021-27916 — CVSS 8.1 (high): Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion. Regardless of…
CVE-2022-25770 — CVSS 7.8 (high): Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to…
CVE-2024-47053 — CVSS 7.7 (high): This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow…
CVE-2026-3105 — CVSS 7.6 (high): SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability…
CVE-2021-27914 — CVSS 7.6 (high): A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript
CVE-2021-27915 — CVSS 7.6 (high): Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be…
CVE-2021-27917 — CVSS 7.3 (high): Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.
CVE-2022-25769 — CVSS 7.2 (high): ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the…
CVE-2021-27912 — CVSS 7.1 (high): Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title…
CVE-2022-25768 — CVSS 7.0 (high): The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform…
CVE-2022-25775 — CVSS 6.6 (medium): Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user…
CVE-2017-1000490 — CVSS 6.5 (medium): Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the…
CVE-2022-25777 — CVSS 6.5 (medium): Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application…
CVE-2021-27909 — CVSS 6.3 (medium): For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter…
CVE-2017-1000488 — CVSS 6.1 (medium): Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET…
CVE-2018-11198 — CVSS 6.1 (medium): An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.
CVE-2021-27908 — CVSS 5.8 (medium): In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user…
CVE-2024-47050 — CVSS 5.4 (medium): Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
CVE-2022-25774 — CVSS 4.8 (medium): Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic…
CVE-2022-25773 — CVSS 4.3 (medium): This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server. *…
CVE-2024-47059 — CVSS 4.3 (medium): When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak…
CVE-2024-47055 — CVSS 4.3 (medium): SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows…
CVE-2021-27913 — CVSS 3.5 (low): The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one…
CVE-2024-47058 — CVSS 2.9 (low): With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal…