Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3agv-evyh-k3hk
Vulnerability ID VCID-3agv-evyh-k3hk
Aliases CVE-2022-25772
GHSA-pjpc-87mp-4332
GMS-2022-1448
Summary Cross-site Scripting vulnerability in Mautic's tracking pixel functionality ### Impact Mautic allows you to track open rates by using tracking pixels. The tracking information is stored together with extra metadata of the tracking request. The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation. ### Patches Please upgrade to 4.3.0 ### Workarounds None. ### References * Internally tracked under MST-38 ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02993 https://api.first.org/data/v1/epss?cve=CVE-2022-25772
epss 0.02993 https://api.first.org/data/v1/epss?cve=CVE-2022-25772
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-pjpc-87mp-4332
cvssv3.1 9.6 https://github.com/mautic/mautic
generic_textual CRITICAL https://github.com/mautic/mautic
cvssv3.1 9.6 https://github.com/mautic/mautic/commit/462eb596027fd949efbf9ac5cb2b376805e9d246
generic_textual CRITICAL https://github.com/mautic/mautic/commit/462eb596027fd949efbf9ac5cb2b376805e9d246
cvssv3.1 9.6 https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
cvssv3.1_qr CRITICAL https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
generic_textual CRITICAL https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
cvssv3.1 9.6 https://nvd.nist.gov/vuln/detail/CVE-2022-25772
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2022-25772
cvssv3.1 9.6 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html
generic_textual CRITICAL https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-25772
https://github.com/mautic/mautic
https://github.com/mautic/mautic/commit/462eb596027fd949efbf9ac5cb2b376805e9d246
https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
https://nvd.nist.gov/vuln/detail/CVE-2022-25772
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html
GHSA-pjpc-87mp-4332 https://github.com/advisories/GHSA-pjpc-87mp-4332
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Found at https://github.com/mautic/mautic
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Found at https://github.com/mautic/mautic/commit/462eb596027fd949efbf9ac5cb2b376805e9d246
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Found at https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25772
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L Found at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.86808
EPSS Score 0.02993
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:53:52.827358+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pjpc-87mp-4332/GHSA-pjpc-87mp-4332.json 38.6.0