VulnerableCode Package Details - pkg:composer/mautic/core@5.2.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-a3qv-sg57-gfd4 Aliases: CVE-2025-13828 GHSA-3fq7-c5m8-g86x	Mautic user without privileged access to the Marketplace can install and uninstall composer packages A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.	5.2.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-swy6-81uq-4kcs Aliases: CVE-2026-3105 GHSA-r5j5-q42h-fc93	Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.	5.2.10 Affected by 0 other vulnerabilities. 6.0.8 Affected by 0 other vulnerabilities. 7.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-a3qv-sg57-gfd4
Aliases:
CVE-2025-13828
GHSA-3fq7-c5m8-g86x

Mautic user without privileged access to the Marketplace can install and uninstall composer packages A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.

5.2.9
Affected by 1 other vulnerability.

6.0.7
Affected by 1 other vulnerability.

VCID-swy6-81uq-4kcs
Aliases:
CVE-2026-3105
GHSA-r5j5-q42h-fc93

Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.

5.2.10
Affected by 0 other vulnerabilities.

6.0.8
Affected by 0 other vulnerabilities.

7.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-f8d8-kqpm-ekhc	Mautic Vulnerable to User Enumeration via Response Timing The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.	CVE-2025-9824 GHSA-3ggv-qwcp-j6xg
VCID-fa5a-r46u-nbfm	Mautic vulnerable to SSRF via webhook function Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed	CVE-2025-9821 GHSA-hj6f-7hp7-xg69
VCID-qz5x-pz9p-93eu	Mautic vulnerable to secret data extraction via elfinder _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available._	CVE-2025-9822 GHSA-438m-6mhw-hq5w
VCID-s7r1-3b25-bbe6	Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.	CVE-2025-9823 GHSA-9v8p-m85m-f7mm

Vulnerability

Summary

Aliases

VCID-f8d8-kqpm-ekhc

Mautic Vulnerable to User Enumeration via Response Timing The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks.

CVE-2025-9824
GHSA-3ggv-qwcp-j6xg

VCID-fa5a-r46u-nbfm

Mautic vulnerable to SSRF via webhook function Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed

CVE-2025-9821
GHSA-hj6f-7hp7-xg69

VCID-qz5x-pz9p-93eu

Mautic vulnerable to secret data extraction via elfinder _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available._

CVE-2025-9822
GHSA-438m-6mhw-hq5w

VCID-s7r1-3b25-bbe6

Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.

CVE-2025-9823
GHSA-9v8p-m85m-f7mm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:04:35.641980+00:00	GitLab Importer	Affected by	VCID-swy6-81uq-4kcs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2026-3105.yml	38.6.0
2026-06-06T06:28:08.086890+00:00	GitLab Importer	Affected by	VCID-a3qv-sg57-gfd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-13828.yml	38.6.0
2026-06-04T17:08:10.741391+00:00	GithubOSV Importer	Fixing	VCID-qz5x-pz9p-93eu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-438m-6mhw-hq5w/GHSA-438m-6mhw-hq5w.json	38.6.0
2026-06-04T17:08:07.483922+00:00	GithubOSV Importer	Fixing	VCID-s7r1-3b25-bbe6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-9v8p-m85m-f7mm/GHSA-9v8p-m85m-f7mm.json	38.6.0
2026-06-04T17:07:49.548567+00:00	GithubOSV Importer	Fixing	VCID-f8d8-kqpm-ekhc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3ggv-qwcp-j6xg/GHSA-3ggv-qwcp-j6xg.json	38.6.0
2026-06-04T17:07:46.154868+00:00	GithubOSV Importer	Fixing	VCID-fa5a-r46u-nbfm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-hj6f-7hp7-xg69/GHSA-hj6f-7hp7-xg69.json	38.6.0
2026-06-04T16:24:56.574505+00:00	GitLab Importer	Fixing	VCID-f8d8-kqpm-ekhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9824.yml	38.6.0
2026-06-04T16:24:55.943254+00:00	GitLab Importer	Fixing	VCID-s7r1-3b25-bbe6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9823.yml	38.6.0
2026-06-04T16:24:55.862280+00:00	GitLab Importer	Fixing	VCID-qz5x-pz9p-93eu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9822.yml	38.6.0
2026-06-04T16:24:55.778722+00:00	GitLab Importer	Fixing	VCID-fa5a-r46u-nbfm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2025-9821.yml	38.6.0