LoginSign Up
← Back to all sparks
M

Mautic

MKT AUTO
Velocity6.3

Open-source marketing automation platform for email, social, and lead management.

www.mautic.org

Mautic patches a SQL injection CVE across three release lines and previews 7.2 'Lynx' for the next major.

sql injection cvecoordinated security releasemautic 7.2 lynxself-hosted marketing automationopen-source release cadence
Current state
Mautic shipped coordinated security releases on May 28 fixing CVE-2026-4776, a SQL injection in API contact filtering, across 7.1.2, 6.0.9, and 5.2.11 — covering every supported branch. Days later the project posted the 7.2.0 'Lynx' Release Candidate, signaling the next minor is close. Cadence shows the steady volunteer-driven release rhythm typical of mature open-source marketing automation.
Where it's heading
Mautic continues to maintain three release lines in parallel, which is unusual for a community OSS project and signals real production use across long-lived self-hosted deployments. The simultaneous CVE patches and the new RC suggest a maintainer cohort with bandwidth for both security response and forward feature work. The Lynx RC will likely shape the second half of 2026 for self-hosted marketing-automation deployments seeking a HubSpot/Marketo alternative.
Prediction
Expect 7.2 GA within a month, followed by 7.1.x and 6.0.x bug-fix releases as Lynx changes percolate. The next visible move beyond patching will be community-led work on AI-assisted email content or segmentation, given the broader marketing-automation peer set is shipping those features.

Recent moves

  1. 25d ago

    Mautic 7.2.0 Lynx Release Candidate

    Release Candidate for Mautic 7.2.0 (Lynx Edition) with refactoring and DevOps improvements, including better webhook command output. Sets the tone for the next minor, but RC and not production-ready.

    View source ↗
  2. 1mo ago

    Mautic 7.1.2 patches CVE-2026-4776 SQL injection

    ⚡ SPARK

    Security release patching CVE-2026-4776, a SQL injection in API contact filtering, shipped simultaneously across the 7.1, 6.0, and 5.2 lines. Every Mautic operator on a supported branch needs to plan an upgrade.

    View source ↗
  3. 1mo ago

    Mautic 6.0.9 backports CVE-2026-4776 SQL injection fix

    6.0.9 backport of the CVE-2026-4776 SQL injection fix for installations on the 6.0 branch. Same CVE coverage as 7.1.2, applied to a different supported line.

    View source ↗
  4. 1mo ago

    Mautic 5.2.11 Capella backports CVE-2026-4776 fix

    5.2.11 Capella backport of the CVE-2026-4776 SQL injection fix for the long-tail 5.2 LTS-style line. Confirms maintainers are supporting older branches, important for enterprise self-hosters.

    View source ↗
  5. 1mo ago

    Mautic 7.1.1 Adhara: segments and assets bug-fix release

    Routine bug-fix release for the 7.1 line covering segment operator fixes, asset-limit defaults, and contact-timeline view repair. Maintenance-grade.

    View source ↗
  6. 2mo ago

    Mautic 7.1.0 Canis Major: refactoring and stricter validation

    7.1.0 Canis Major brought refactoring, strict slug validation for asset downloads, and campaign email lookup moved to EventRepository. Sets up the platform stability that the 7.1.x patch cadence is now reinforcing.

    View source ↗