CVE-2026-9557
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (MauticFocusBundle). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server.
Impact
An authenticated user with access to the Mautic panel can exploit this vulnerability to perform internal port probing or force the server to initiate requests to external or arbitrary internal destinations. This can enable internal network reconnaissance or mapping of firewalled infrastructure.
Patched Versions
This security issue has been fixed in the following releases:
- 7.1.2
- 6.0.9
- 5.2.11
- 4.4.20 ELTS
Mautic strongly recommend upgrading to the latest version corresponding to your release branch.
Workarounds
There are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets/local hosts is recommended.
⚡ Watch CVE-2026-9557
Get an email if CVE-2026-9557 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.14% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 4% of all EPSS-scored CVEs.
Advisory coverage (1)
- mediumGHSA-jmv8-8j9j-rcpc: Mautic Focus component Vulnerable to SSRFghsa · 2026-07-02
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-9557)