CVE-2026-3105
SQL Injection in Contact Activity API Sorting
CVSS Score
7.6
EPSS Score
0.0%
EPSS Percentile
0th
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1Β or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at [email protected]
| CWE | CWE-89 |
| Vendor | mautic |
| Product | mautic |
| Published | Feb 24, 2026 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for mautic mautic
Be the first to know when new high vulnerabilities affecting mautic mautic are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
Affected Versions
Mautic / Mautic
>= 2.10.0 < < 4.4.19 <5.2.10 <6.0.8 <7.0.1
References
Credits
π q1uf3ng parykgruszka escopecz Leuchtfeuer Digital Marketing