CVE-2026-9811 | Mautic up to 7.1.1 Project Selector cross site scripting (GHSA-5hvg-w58j-545m / WID-SEC-2026-1724)

Stored Cross-Site Scripting (CVE-2026-9811) was found in Mautic up to 7.1.1 within the Project Selector component: an authenticated user with project-creation rights can persist malicious JavaScript in project names that executes in administrators' browsers when the selector is rendered. No public exploit is available; upgrade to Mautic 7.1.2 is recommended to remediate the issue.