CVE-2025-9821

low-risk

Published 2025-09-03

SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to interact with internal services. See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ for more potential impact. Resources https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF and its fix.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.7/10 Low

NETWORK / LOW complexity

References (1)

https://github.com/mautic/mautic/security/advisories/GHSA-hj6f-7hp7-xg69

/ 100

low-risk

Severity 14/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal