Mautic up to 6.0.1/5.4.5/4.4.15 /page/preview/1 improper validation of specified quantity in input

Summaryinfo

A vulnerability classified as critical was found in Mautic up to 6.0.1/5.4.5/4.4.15. This affects an unknown function of the file /page/preview/1. Executing a manipulation can lead to improper validation of specified quantity in input. This vulnerability is registered as CVE-2025-5257. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability has been found in Mautic up to 6.0.1/5.4.5/4.4.15 and classified as critical. This vulnerability affects an unknown function of the file /page/preview/1. The manipulation with an unknown input leads to a improper validation of specified quantity in input vulnerability. The CWE definition for the vulnerability is CWE-1284. The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. As an impact it is known to affect confidentiality, and availability. CVE summarizes:

SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information. Unauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., /page/preview/1, /page/preview/2), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable. MitigationMautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later.

The advisory is available at github.com. This vulnerability was named CVE-2025-5257 since 05/27/2025. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit.

Upgrading to version 6.0.2, 5.4.6 or 4.4.16 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Mautic

Version

• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 4.4.5
• 4.4.6
• 4.4.7
• 4.4.8
• 4.4.9
• 4.4.10
• 4.4.11
• 4.4.12
• 4.4.13
• 4.4.14
• 4.4.15
• 5.4.0
• 5.4.1
• 5.4.2
• 5.4.3
• 5.4.4
• 5.4.5
• 6.0.0
• 6.0.1

License

• open-source

Website

• Product: https://github.com/mautic/mautic/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion