mautic/mautic 7.1.2

Mautic Community 7.1.2

on GitHub

Announcing Mautic 7.1.2: Aludra Edition

🔒 Security Release

This release addresses several security vulnerabilities. We strongly advise updating your installation at your earliest convenience after performing a full backup and testing the upgrade in a staging environment.

🔒 Security Fixes

• CVE-2026-4776: SQL Injection in API Contact Filtering

  • Attribution: Reported by @Senku01 and @Harish4948. Fixed by @Senku01. Reviewed by @patrykgruszka.
  • Advisory: GHSA-fcmw-wx57-9p75

• CVE-2026-9557: SSRF in the Mautic Focus Component

  • Attribution: Reported by @r1beirin and @dungNHVhust. Fixed by @patrykgruszka. Reviewed by @escopecz.
  • Advisory: GHSA-jmv8-8j9j-rcpc

• CVE-2026-9558: Server-Side Template Injection (SSTI) in Theme Templates

  • Attribution: Reported by @onurcangnc, @xfer0, and @Entropt. Fixed by @onurcangnc. Reviewed by @escopecz and @patrykgruszka.
  • Advisory: GHSA-9fx4-7cmj-47vg

• CVE-2026-9559: Path Traversal via Campaign Import

  • Attribution: Reported by @nglong05 and @f3nrir77. Fixed by @escopecz. Reviewed by @patrykgruszka.
  • Advisory: GHSA-6r9h-4h75-7q4x

• CVE-2026-9808: Authorization Bypass in API v2 Endpoints

  • Attribution: Reported by @zerlyer and @pavelkohout396. Fixed by @escopecz. Reviewed by @patrykgruszka.
  • Advisory: GHSA-2jrw-c95w-h43g

• CVE-2026-9809: Stored Cross-Site Scripting (XSS) in Projects Component

  • Attribution: Reported by @34selen. Fixed by @escopecz. Reviewed by @patrykgruszka.
  • Advisory: GHSA-7h65-whp7-rgqf

• CVE-2026-9811: Stored Cross-Site Scripting (XSS) in Project Option Selector

  • Attribution: Reported by @pavelkohout396. Fixed by @escopecz. Reviewed by @patrykgruszka.
  • Advisory: GHSA-5hvg-w58j-545m

🤖 DevOps Updates

• Update vulnerable Composer dependencies for 6.0 security phase (by @escopecz).

What's Changed

🐛 Bugs

• Bumping CK editor libraries by @escopecz in #16074
• Handling adding points to deleted contacts by @escopecz in #16073
• Register mautic:phpunit:config command in test environment only by @fedys in #16104
• fix(grapesjs): avoid MJML reparse in HTML mode in source editor by @fujijin in #15971
• Stabilizing a flaky test by @escopecz in #16134

New Contributors

• @fujijin made their first contribution in #15971

💡 Release Team & Sponsors

This release was made possible through the dedicated efforts of our community and supporters:

• Release Leader: @patrykgruszka
• Release Assistant: @escopecz
• Sponsor: Special thanks to @Leuchtfeuer for sponsoring this security release.

SHA1(7.1.2.zip)= 6da6aa5e2ad41d3f1a1f07788d05fd185e2e0fb3
SHA1(7.1.2-update.zip)= 584841094031c93229a9ebf144f92c34e35ffd26