Information disclosure in Mautic - CVE-2021-27908
Published: March 22, 2021 / Updated: May 25, 2026
Mautic
Detailed vulnerability description
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in free text configuration fields rendered in publicly facing parts of the application when referencing Symfony parameters in configuration content. A local privileged user can enter crafted parameter references into a free text configuration field to disclose sensitive information.
User interaction is required to visit a page that renders the crafted content.