CVE-2026-4776 | THREATINT

Description

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

PUBLISHED Reserved 2026-03-24 | Published 2026-05-29 | Updated 2026-05-29 | Assigner Mautic

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Problem types

CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')

Product status

Default status

unaffected

2.6.0 (semver) before 4.4.20

affected

5.0.0 (semver) before 5.2.11

affected

6.0.0 (semver) before 6.0.9

affected

7.0.0 (semver) before 7.1.2

affected

Credits

Vignesh P (@Senku01) finder

Harish P (@Harish4948) finder

Patryk Gruszka (@patrykgruszka) remediation reviewer

Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

github.com/...mautic/security/advisories/GHSA-fcmw-wx57-9p75

cve.org (CVE-2026-4776)

nvd.nist.gov (CVE-2026-4776)

Download JSON