Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-19zs-w8hs-abdm
Vulnerability ID VCID-19zs-w8hs-abdm
Aliases CVE-2022-25768
GHSA-x3jx-5w6m-q2fc
Summary Mautic vulnerable to Improper Access Control in UI upgrade process The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-284 Improper Access Control
CWE-287 Improper Authentication
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00369 https://api.first.org/data/v1/epss?cve=CVE-2022-25768
epss 0.00369 https://api.first.org/data/v1/epss?cve=CVE-2022-25768
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-x3jx-5w6m-q2fc
cvssv3.1 7.0 https://github.com/mautic/mautic
cvssv4 8.3 https://github.com/mautic/mautic
generic_textual HIGH https://github.com/mautic/mautic
cvssv3.1 7.0 https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
cvssv4 8.3 https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
generic_textual HIGH https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
cvssv3.1 7.0 https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
cvssv4 8.3 https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
generic_textual HIGH https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
cvssv3.1 7 https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
cvssv3.1 7.0 https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
cvssv3.1_qr HIGH https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
cvssv4 8.3 https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
generic_textual HIGH https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
ssvc Track https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
cvssv3.1 7.0 https://nvd.nist.gov/vuln/detail/CVE-2022-25768
cvssv4 8.3 https://nvd.nist.gov/vuln/detail/CVE-2022-25768
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-25768
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-25768
https://github.com/mautic/mautic
https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
CVE-2022-25768 https://nvd.nist.gov/vuln/detail/CVE-2022-25768
GHSA-x3jx-5w6m-q2fc https://github.com/advisories/GHSA-x3jx-5w6m-q2fc
GHSA-x3jx-5w6m-q2fc https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/mautic/mautic
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/mautic/mautic
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-19T15:42:37Z/ Found at https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25768
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25768
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.59101
EPSS Score 0.00369
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:22:17.583380+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2022-25768.yml 38.6.0