CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-jmv8-8j9j-rcpc: Mautic Focus component Vulnerable to SSRF

mediumCVSS 6.4CVE-2026-9557
Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (MauticFocusBundle). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server. Impact An authenticated user with access to the Mautic panel can exploit this vulnerability to perform internal port probing or force the server to initiate requests to external or arbitrary internal destinations. This can enable internal network reconnaissance or mapping of firewalled infrastructure. Patched Versions This security issue has been fixed in the following releases: - 7.1.2 - 6.0.9 - 5.2.11 - 4.4.20 ELTS Mautic strongly recommend upgrading to the latest version corresponding to your release branch. Workarounds There are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets/local hosts is recommended.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.4
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-jmv8-8j9j-rcpc

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-9557coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories