mautic/core Security Advisories for 6.0.0 (9)
-
[MEDIUM] Mautic Vulnerable to User Enumeration via Response Timing
PKSA-f1xn-2dhr-qrdb CVE-2025-9824 GHSA-3ggv-qwcp-j6xg
Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17
Reported by:
GitHub -
[MEDIUM] Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
PKSA-vhyd-4d5p-sjmg CVE-2025-9823 GHSA-9v8p-m85m-f7mm
Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17
Reported by:
GitHub -
[MEDIUM] Mautic vulnerable to secret data extraction via elfinder
PKSA-bn7t-4gr8-g6ns CVE-2025-9822 GHSA-438m-6mhw-hq5w
Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17
Reported by:
GitHub -
[LOW] Mautic vulnerable to SSRF via webhook function
PKSA-1vkq-hh1n-xfrh CVE-2025-9821 GHSA-hj6f-7hp7-xg69
Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17
Reported by:
GitHub -
[MEDIUM] Mautic has an Open Redirect vulnerability on user unlock path.
PKSA-q26v-9dpb-k2fj CVE-2025-5256 GHSA-6vx9-9r2g-8373
Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=1.0.0,<4.4.16
Reported by:
GitHub -
[MEDIUM] Mautic segment cloning doesn't have a proper permission check
PKSA-t9vw-npky-6xmt CVE-2024-47055 GHSA-vph5-ghq3-q782
Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6
Reported by:
GitHub -
[MEDIUM] Mautic allows user name enumeration due to response time difference on password reset form
PKSA-s7ys-knkq-xqw6 CVE-2024-47057 GHSA-424x-cxvh-wq9p
Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=1.0.0,<4.4.16
Reported by:
GitHub -
[MEDIUM] Mautic does not shield .env files from web traffic
PKSA-x5tz-t44g-gk96 CVE-2024-47056 GHSA-h2wg-v8wg-jhxh
Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=4.4.0,<4.4.16
Reported by:
GitHub -
[MEDIUM] Mautic's Predictable Page Indexing Might Lead to Sensitive Data Exposure
PKSA-x59g-t3yz-wmhz CVE-2025-5257 GHSA-cqx4-9vqf-q3m8
Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=4.0.0,<4.4.16
Reported by:
GitHub