Mautic Theme Engine Allows Unauthenticated Code Execution

Server-Side Template Injection (SSTI) in Mautic's theme engine represents a critical threat because it allows authenticated users with theme management permissions to execute arbitrary code directly on hosting servers. The vulnerability stems from unsafe rendering of Twig templates without sandbox restrictions or function whitelisting, transforming what should be a templating feature into a remote code execution (RCE) vector. This affects organizations deploying Mautic for marketing automation, particularly those with multiple administrators or delegated theme management roles, where insider threats or compromised credentials pose significant risk. With a CVSS score of 9.9, this vulnerability can lead to complete system compromise, unauthorized access to sensitive customer data, and lateral movement within enterprise networks.

While this CVE currently maps to zero Casky skills, practitioners defending against similar SSTI patterns should focus on detecting suspicious Twig function calls and object instantiation attempts within template uploads. Casky's Claude-powered analysis would identify attack indicators including use of dangerous functions like `system()`, `exec()`, or object instantiation (`_self`, `app`) in uploaded template files, correlating to techniques under Execution and Defense Evasion. Security teams should implement detection rules monitoring for template files containing backticks, process spawning functions, or filesystem access patterns, paired with behavioral analysis of theme upload events followed by unexpected system process execution. Practitioners would see findings flagging template syntax anomalies and correlating file uploads with subsequent command execution or information gathering activities on the server.