cbcvebase.
CVE-2025-13828
published 2025-12-02

CVE-2025-13828: SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for…

PriorityP350critical9CVSS 4.0
AVNACLATPPRLUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.23%
13.2th percentile
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges.

Affected

4 ranges
VendorProductVersion rangeFixed in
mauticcore>= 4.0.0 < 4.4.184.4.18
mauticcore>= 5.0.0 < 5.2.95.2.9
mauticcore>= 6.0.0 < 6.0.76.0.7
mauticmautic
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.