CVE-2025-9823: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability (CVE-2025-9823) was discovered in Mautic's lead:addLeadTags endpoint. The vulnerability affects Mautic versions >= 4.4.0, < 4.4.17, >= 5.0.0-alpha, < 5.2.8, and >= 6.0.0-alpha, < 6.0.5. The issue was disclosed on September 3, 2025, and allows attackers to execute arbitrary JavaScript in the context of another user's session due to improper input sanitization (Mautic Advisory).

The vulnerability resides in the "Tags" input field on the /s/ajax?action=lead:addLeadTags endpoint. While the server implements sanitization for stored data, the vulnerability allows immediate execution of reflected payloads in the victim's browser. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The weakness has been categorized as CWE-79: Improper Neutralization of Input During Web Page Generation (Mautic Advisory).

The Reflected XSS vulnerability enables attackers to steal sensitive user data including cookies, redirect users to malicious websites, manipulate web page content, and potentially take control of user sessions. This allows attackers to perform actions as if they were the logged-in user, even when server-side code remains secure (Mautic Advisory).

The vulnerability has been patched in Mautic versions 4.4.17, 5.2.8, and 6.0.5. Users are advised to upgrade to these patched versions to mitigate the risk (Mautic Advisory).