← Back to all sparks
M

Mautic

MKT AUTO
Velocity2.5

Open-source marketing automation platform for email, social, and lead management.

Mautic hardens security across three branches and lines up a feature-heavy 7.2.

marketing-automationopen-sourcesecurity-cvesemail-deliverabilitygrapesjs-builderphp-8.5
Current state
Mautic is in a maintenance-and-hardening phase. The standout is a coordinated security release across three supported branches (7.1.2, 6.0.9, 5.2.11) fixing seven CVEs, including SQL injection in API contact filtering and an API v2 authorization bypass. In parallel, 7.1.3 cleans up campaign and email reliability bugs, and a 7.2.0 release candidate stages the next feature line.
Where it's heading
The project is balancing three commitments: keeping older branches (5.2, 6.0, 7.0/7.1) patched for security, steadily fixing campaign and GrapesJS-builder reliability, and building 7.2 around transactional email, better bot detection, and PHP 8.5 support. It reads as the cadence of a mature open-source platform serving a broad installed base, not one chasing new categories.
Prediction
The 7.2.0 RC points to a stable 7.2 GA next, carrying truly transactional emails, Matomo-based bot detection, and the GrapesJS builder improvements out of pre-release.

Recent moves

  1. 2d ago

    Mautic 7.1.3: fixes campaign restart and email-resend loops

    A maintenance patch centered on reliability: fixes for campaign restart, an infinite reschedule loop, and an infinite email-resend loop that users would see as duplicate sends, plus GrapesJS builder and API v2 OAuth fixes.

    View source ↗
  2. 1mo ago

    Mautic 7.2 RC adds transactional email and bot detection

    The 7.2 release candidate stages the next feature line: truly transactional emails, Matomo-based bot detection for tracking, tokens in the FROM address, GrapesJS theme styling, and import and query performance work. It is an RC, flagged for testing rather than production.

    View source ↗
  3. 1mo ago

    Mautic 7.1.2 security release patches 7 CVEs

    A security release patching seven CVEs, including SQL injection in API contact filtering, SSRF, SSTI, path traversal, and an API v2 authorization bypass. A must-apply update on the 7.1 branch.

    View source ↗
  4. 1mo ago

    Mautic 6.0.9 backports the security CVE fixes to 6.0

    The same security batch backported to the 6.0 branch (SQL injection, SSRF, SSTI), keeping older supported installs patched. A parallel-branch release rather than new functionality.

    View source ↗
  5. 1mo ago

    Mautic 5.2.11 backports the security CVE fixes to 5.2

    The security batch backported to the 5.2 branch (SQL injection, SSRF, SSTI) alongside Symfony 5.4 dependency refreshes — maintenance for long-tail installs.

    View source ↗
  6. 2mo ago

    Mautic 7.1.1: minor segment and asset bug fixes

    A small patch with a handful of segment, asset, and trusted-host fixes; routine maintenance shipped ahead of the security releases.

    View source ↗