GHSA-jmv8-8j9j-rcpc

Suggest an improvement
Source
https://github.com/advisories/GHSA-jmv8-8j9j-rcpc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-jmv8-8j9j-rcpc/GHSA-jmv8-8j9j-rcpc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jmv8-8j9j-rcpc
Aliases
  • CVE-2026-9557
Published
2026-07-02T19:47:38Z
Modified
2026-07-02T20:00:08.039385619Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Mautic Focus component Vulnerable to SSRF
Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (MauticFocusBundle). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server.

Impact

An authenticated user with access to the Mautic panel can exploit this vulnerability to perform internal port probing or force the server to initiate requests to external or arbitrary internal destinations. This can enable internal network reconnaissance or mapping of firewalled infrastructure.

Patched Versions

This security issue has been fixed in the following releases: * 7.1.2 * 6.0.9 * 5.2.11 * 4.4.20 ELTS

Mautic strongly recommend upgrading to the latest version corresponding to your release branch.

Workarounds

There are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets/local hosts is recommended.

Database specific
{
    "github_reviewed_at": "2026-07-02T19:47:38Z",
    "nvd_published_at": "2026-05-29T11:16:17Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Last affected
4.4.13

Affected versions

4.*
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0-rc
4.2.0-rc1
4.2.0
4.2.1
4.2.2
4.3.0-beta
4.3.0-rc
4.3.0
4.3.1
4.4.0-beta
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-jmv8-8j9j-rcpc/GHSA-jmv8-8j9j-rcpc.json"

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.11

Affected versions

5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-jmv8-8j9j-rcpc/GHSA-jmv8-8j9j-rcpc.json"

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.9

Affected versions

6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-jmv8-8j9j-rcpc/GHSA-jmv8-8j9j-rcpc.json"

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.1.2

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.1.0-rc
7.1.0
7.1.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-jmv8-8j9j-rcpc/GHSA-jmv8-8j9j-rcpc.json"