Security Advisories - mautic/core - Packagist

mautic/core Security Advisories for 5.2.0 (12)

[MEDIUM] Mautic Vulnerable to User Enumeration via Response Timing

PKSA-f1xn-2dhr-qrdb CVE-2025-9824 GHSA-3ggv-qwcp-j6xg

Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17

Reported by:
GitHub
[MEDIUM] Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add

PKSA-vhyd-4d5p-sjmg CVE-2025-9823 GHSA-9v8p-m85m-f7mm

Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17

Reported by:
GitHub
[MEDIUM] Mautic vulnerable to secret data extraction via elfinder

PKSA-bn7t-4gr8-g6ns CVE-2025-9822 GHSA-438m-6mhw-hq5w

Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17

Reported by:
GitHub
[LOW] Mautic vulnerable to SSRF via webhook function

PKSA-1vkq-hh1n-xfrh CVE-2025-9821 GHSA-hj6f-7hp7-xg69

Affected version: >=6.0.0-alpha,<6.0.5|>=5.0.0-alpha,<5.2.8|>=4.4.0,<4.4.17

Reported by:
GitHub
[MEDIUM] Mautic has an Open Redirect vulnerability on user unlock path.

PKSA-q26v-9dpb-k2fj CVE-2025-5256 GHSA-6vx9-9r2g-8373

Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=1.0.0,<4.4.16

Reported by:
GitHub
[MEDIUM] Mautic segment cloning doesn't have a proper permission check

PKSA-t9vw-npky-6xmt CVE-2024-47055 GHSA-vph5-ghq3-q782

Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6

Reported by:
GitHub
[MEDIUM] Mautic allows user name enumeration due to response time difference on password reset form

PKSA-s7ys-knkq-xqw6 CVE-2024-47057 GHSA-424x-cxvh-wq9p

Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=1.0.0,<4.4.16

Reported by:
GitHub
[MEDIUM] Mautic does not shield .env files from web traffic

PKSA-x5tz-t44g-gk96 CVE-2024-47056 GHSA-h2wg-v8wg-jhxh

Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=4.4.0,<4.4.16

Reported by:
GitHub
[MEDIUM] Mautic's Predictable Page Indexing Might Lead to Sensitive Data Exposure

PKSA-x59g-t3yz-wmhz CVE-2025-5257 GHSA-cqx4-9vqf-q3m8

Affected version: >=6.0.0-alpha,<6.0.2|>=5.0.0-alpha,<5.2.6|>=4.0.0,<4.4.16

Reported by:
GitHub
[MEDIUM] Mautic allows Relative Path Traversal in assets file upload

PKSA-r9y9-cx91-ppbj CVE-2022-25773 GHSA-4w2w-36vm-c8hf

Affected version: <5.2.3

Reported by:
GitHub
[HIGH] Mautic allows Improper Authorization in Reporting API

PKSA-d6g7-gn2x-xxxs CVE-2024-47053 GHSA-8xv7-g2q3-fqgc

Affected version: >=1.0.1,<5.2.3

Reported by:
GitHub
[CRITICAL] Mautic allows Remote Code Execution and File Deletion in Asset Uploads

PKSA-r8cy-ghyg-685v CVE-2024-47051 GHSA-73gx-x7r9-77x2

Affected version: <5.2.3

Reported by:
GitHub