CVE-2025-9823: Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add

September 3, 2025

A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.

References

github.com/advisories/GHSA-9v8p-m85m-f7mm
github.com/mautic/mautic
github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm
nvd.nist.gov/vuln/detail/CVE-2025-9823

Code Behaviors & Features

Detect and mitigate CVE-2025-9823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →