CVE-2026-9809 | Mautic up to 7.1.1 Projects cross site scripting (GHSA-7h65-whp7-rgqf / WID-SEC-2026-1724)

A stored Cross‑Site Scripting vulnerability (CVE-2026-9809) exists in the Projects component of Mautic up to 7.1.1 whereby authenticated users with permissions to create or edit projects can inject malicious script in project names; the script executes in administrative users' browsers when they view or hover project tags, enabling actions such as configuration changes or data exfiltration. The issue is publicly disclosed (GHSA-7h65-whp7-rgqf), no public exploit is available, and upgrading to Mautic 7.1.2 mitigates the vulnerability.