CVE-2025-13828: Mautic user without privileged access to the Marketplace can install and uninstall composer packages

December 2, 2025

A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.

References

github.com/advisories/GHSA-3fq7-c5m8-g86x
github.com/mautic/mautic
github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x
nvd.nist.gov/vuln/detail/CVE-2025-13828

Code Behaviors & Features

Detect and mitigate CVE-2025-13828 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →