CVE-2026-3105

Published: Feb 24, 2026

Modified: Feb 26, 2026

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at [email protected]

Vendor	Product	Versions
Mautic	Mautic	affected `>= 2.10.0 - < < 4.4.19 <5.2.10 <6.0.8 <7.0.1`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

References

https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3105

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References