Cyber Resilience

CVE-2026-9558

CriticalUpdated

Published: 29 May 2026

Published
29 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0044 35.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9558 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code…

more

on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSTI in public-facing web app directly enables RCE via template abuse (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53909Shared CWE-1336
CVE-2026-34587Shared CWE-1336
CVE-2022-23851Shared CWE-1336
CVE-2025-49828Shared CWE-1336
CVE-2026-21448Shared CWE-1336
CVE-2025-59340Shared CWE-1336
CVE-2026-28784Shared CWE-1336
CVE-2025-64087Shared CWE-1336
CVE-2026-27961Shared CWE-1336
CVE-2026-21449Shared CWE-1336

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References