CVE-2026-3105

7.6 HIGH
Published: February 24, 2026 Modified: February 27, 2026
View on NVD

Description

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1Β or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93
Source: security@mautic.org
Vendor Advisory Mitigation

1 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.6 / 10.0
EPSS (Exploit Probability)
0.0%
11th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-89

Affected Vendors

acquia

Related CVEs

CVE-2019-25582 6.5
CVE-2019-25581 8.2
CVE-2019-25580 8.2
CVE-2019-25579 7.5
CVE-2019-25578 8.2