CVE•Published 2026-05-29•Modified 2026-05-29•1 article on news•6 live references•NVD data

CVE-2026-9559

Vulnerability data via NVD (ingested)

CVSS v3.1

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')CWE-73External Control of File Name or Path CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Description

A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.

Timeline

Published 2026-05-29

Modified 2026-05-29

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-9559

Hosts Shodan has explicitly fingerprinted as vulnerable.

More intel sources (5)

Shodan report

vuln:CVE-2026-9559

Country / ASN / product breakdown for the vuln query.

Censys

vulnerabilities.cve_id: CVE-2026-9559

Censys host search filtered to this CVE id.

grep.app

CVE-2026-9559