|
1861
|
6.4 |
MEDIUM
Network
|
-
|
-
|
A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests f…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-9557
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1862
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated us…
|
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-9558
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1863
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escap…
|
CWE-22
CWE-73
CWE-98
Path Traversal
External Control of File Name or Path
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-9559
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1864
|
7.1 |
HIGH
Network
|
-
|
-
|
An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or …
|
CWE-863
Incorrect Authorization
|
CVE-2026-9808
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1865
|
7.6 |
HIGH
Network
|
-
|
-
|
A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or…
|
CWE-79
Cross-site Scripting
|
CVE-2026-9809
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1866
|
- |
|
-
|
-
|
Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component …
|
CWE-23
Relative Path Traversal
|
CVE-2026-8326
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1867
|
5.4 |
MEDIUM
Network
|
-
|
-
|
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application f…
|
CWE-79
Cross-site Scripting
|
CVE-2026-9811
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1868
|
- |
|
-
|
-
|
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path w…
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-9508
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1869
|
- |
|
-
|
-
|
An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST reques…
|
CWE-248
Uncaught Exception
|
CVE-2026-9509
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1870
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. Th…
|
CWE-862
Missing Authorization
|
CVE-2026-4290
|
2026-05-30 00:39 |
2026-05-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
