Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9fcx-cv56-w58p

GitHub Security Advisory

Mautic vulnerable to Relative Path Traversal / Arbitrary File Deletion due to GrapesJS builder

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion. Regardless of the level of access the Mautic user had, they could delete files other than those in the media folders such as system files, libraries or other important files.

This vulnerability exists in the implementation of the GrapesJS builder in Mautic.

### Patches
Update to 4.4.12 or 5.0.4.

### Workarounds
No

### References
- https://cwe.mitre.org/data/definitions/23.html
- https://cwe.mitre.org/data/definitions/22.html
- https://attack.mitre.org/techniques/T1630/002/

### For more information

If you have any questions or comments about this advisory:

Email us at [[email protected]](mailto:[email protected])

Affected Packages

Packagist mautic/core
Affected versions: 3.3.0 (fixed in 4.4.12)
Packagist mautic/core
Affected versions: 5.0.0-alpha (fixed in 5.0.4)

Related CVEs

CVE-2021-27916

Key Information

GHSA ID
GHSA-9fcx-cv56-w58p
Published
April 12, 2024 5:07 PM
Last Modified
October 2, 2024 4:18 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
mautic/core
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.