Base Score

CRITICAL9

CVE-2025-13828

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges.

VectorNETWORK

Published Bysecurity@mautic.org

Published DateDec 02, 2025, 17:16

Affected Versions(3)

mautic/core(Packagist)

Introduced4.0.0

Fixed4.4.18

LimitN/A

mautic/core(Packagist)

Introduced5.0.0

Fixed5.2.9

LimitN/A

mautic/core(Packagist)

Introduced6.0.0

Fixed6.0.7

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
mautic/core(Packagist)	4.0.0	4.4.18	N/A
mautic/core(Packagist)	5.0.0	5.2.9	N/A
mautic/core(Packagist)	6.0.0	6.0.7	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

CRITICAL

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x

Base Score

CRITICAL9

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

CRITICAL

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)