Primary

Context

Mautic Composer Package Management Vulnerability Allowing Arbitrary Code Installation by Low-Privileged Users

Vulnerability

Patched

A vulnerability exists in Mautic versions 4.0 and above, allowing non-privileged users to install and remove arbitrary Composer packages. This can be done even when the option to enable Composer-based updates is disabled. As a result, a low-privileged user could potentially install malicious code to gain higher privileges on the platform.

Impact

Exploitation of this vulnerability could lead to unauthorized installation of malicious code, which could be used to escalate privileges within the application.

Remediation

Users can upgrade to Mautic versions 4.4.18, 5.2.9, or 6.0.7 to address this vulnerability.

Added: Dec 2, 2025, 5:22 PM

Updated: Dec 2, 2025, 5:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

7.5

exploitability

5.0

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

7.5

exploitability

5.0

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mautic Composer Package Management Vulnerability Allowing Arbitrary Code Installation by Low-Privileged Users

Vulnerability

Impact

Remediation

Affected Products

Mautic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating