CVE-2025-13828
Mautic user without privileged access to the Marketplace can install and uninstall composer packages
EPSS 0.06%
Description
### Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ### Impact A low-privileged user of the platform can install malicious code to obtain higher privileges.
How to fix CVE-2025-13828
To remediate CVE-2025-13828, upgrade the affected package to a fixed version below.
- Packagist/mautic/core—upgrade to 4.4.18 or later
Is CVE-2025-13828 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.4.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |