CVE-2026-3105
February 24, 2026
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.
MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.
WorkaroundsNone.
ReferencesIf you have any questions or comments about this advisory:
Email us at security@mautic.org
Affected Packages
mautic/core (PHP):
Affected version(s) >=6.0.0-alpha <6.0.8Fix Suggestion:
Update to version 6.0.8mautic/core (PHP):
Affected version(s) >=7.0.0-alpha <7.0.1Fix Suggestion:
Update to version 7.0.1mautic/core (PHP):
Affected version(s) >=2.10.0 <5.2.10Fix Suggestion:
Update to version 5.2.10Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
EPSS
Base Score:
0.04
