A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative deta…

A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. The vulnerability occurs when user-supplied project names are rendered without proper sanitization in administrative detail views. An authenticated user with project creation/editing permissions can inject malicious script payloads. When administrative users view entities associated with compromised projects and hover over tags, the injected scripts execute in their browser session. This could enable attackers to perform administrative actions, alter system configurations, or exfiltrate sensitive data through privilege escalation.