Home

Description

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org

PUBLISHED Reserved 2026-02-24 | Published 2026-02-24 | Updated 2026-02-24 | Assigner Mautic




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

>= 2.10.0 (semver) before < 4.4.19 <5.2.10 <6.0.8 <7.0.1
affected

Timeline

2026-02-15:Report received
2026-02-18:Report accepted
2026-02-24:Advisory published

Credits

q1uf3ng reporter

parykgruszka remediation developer

escopecz remediation reviewer

Leuchtfeuer Digital Marketing sponsor

References

github.com/...mautic/security/advisories/GHSA-r5j5-q42h-fc93

cve.org (CVE-2026-3105)

nvd.nist.gov (CVE-2026-3105)

Download JSON