VulnerableCode Package Details - pkg:composer/mautic/core@5.2.7

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/mautic/core@5.2.7

Essentials
History (6)

purl	pkg:composer/mautic/core@5.2.7

Next non-vulnerable version	5.2.10
Latest non-vulnerable version	7.0.1
Risk	4.5

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-a3qv-sg57-gfd4 Aliases: CVE-2025-13828 GHSA-3fq7-c5m8-g86x	Mautic user without privileged access to the Marketplace can install and uninstall composer packages A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.	5.2.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-f8d8-kqpm-ekhc Aliases: CVE-2025-9824 GHSA-3ggv-qwcp-j6xg	Mautic Vulnerable to User Enumeration via Response Timing The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.	5.2.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fa5a-r46u-nbfm Aliases: CVE-2025-9821 GHSA-hj6f-7hp7-xg69	Mautic vulnerable to SSRF via webhook function Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed	5.2.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qz5x-pz9p-93eu Aliases: CVE-2025-9822 GHSA-438m-6mhw-hq5w	Mautic vulnerable to secret data extraction via elfinder _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available._	5.2.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-s7r1-3b25-bbe6 Aliases: CVE-2025-9823 GHSA-9v8p-m85m-f7mm	Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.	5.2.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-swy6-81uq-4kcs Aliases: CVE-2026-3105 GHSA-r5j5-q42h-fc93	Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.	5.2.10 Affected by 0 other vulnerabilities. 6.0.8 Affected by 0 other vulnerabilities. 7.0.1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:04:35.637082+00:00	GitLab Importer	Affected by	VCID-swy6-81uq-4kcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2026-3105.yml	38.6.0
2026-06-06T06:28:08.082761+00:00	GitLab Importer	Affected by	VCID-a3qv-sg57-gfd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-13828.yml	38.6.0
2026-06-06T06:04:20.958814+00:00	GitLab Importer	Affected by	VCID-f8d8-kqpm-ekhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9824.yml	38.6.0
2026-06-06T06:04:08.351273+00:00	GitLab Importer	Affected by	VCID-s7r1-3b25-bbe6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9823.yml	38.6.0
2026-06-06T06:04:07.899727+00:00	GitLab Importer	Affected by	VCID-qz5x-pz9p-93eu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9822.yml	38.6.0
2026-06-06T06:04:07.440620+00:00	GitLab Importer	Affected by	VCID-fa5a-r46u-nbfm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9821.yml	38.6.0