Announcing Mautic 5.2.8: Pleione Edition
🔒Security release
This release addresses several security issues. Please update at your earliest convenience after taking a backup and ensuring that it's working.
🔒Security fixes
- https://www.cve.org/CVERecord?id=CVE-2025-9821 - SSRF via webhook function - Reported by @asesidaa and fixed by @patrykgruszka and tested/reviewed by @kuzmany in
https://github.com/mautic/mautic/security/advisories/GHSA-hj6f-7hp7-xg69 - https://www.cve.org/CVERecord?id=CVE-2025-9822 - Secret data extraction via elfinder - Reported by @B0D0B0P0T and fixed by @lenonleite and tested/reviewed by @kuzmany in
https://github.com/mautic/mautic/security/advisories/GHSA-438m-6mhw-hq5w - https://www.cve.org/CVERecord?id=CVE-2025-9824 - User Enumeration via Response Timing - Reported by @Vautia and fixed by @nick-vanpraet and tested/reviewed by @kuzmany in
https://github.com/mautic/mautic/security/advisories/GHSA-3ggv-qwcp-j6xg - https://www.cve.org/CVERecord?id=CVE-2025-9823 - Reflected XSS in lead:addLeadTags - Quick Add - Reported and fixed by @nmmorette and tested/reviewed by @kuzmany and @patrykgruszka in
https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm
SHA1(5.2.8.zip)= 5d14bd8f6b539faa3dcd981ca77c5cdf9833bbc5
SHA1(5.2.8-update.zip)= e09e902cd6c1c1ed4acdf1570a5c1564531e53c3