CVE-2026-3105
HIGH
GHSA-r5j5-q42h-fc93
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Description
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at [email protected]
Analysis
Mautic's Contact Activity API endpoint is vulnerable to SQL injection due to insufficient validation of the sort direction parameter, allowing authenticated attackers to execute arbitrary SQL queries. This high-severity vulnerability (CVSS 7.6) affects multiple versions and could enable unauthorized data access or modification. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems using the affected API endpoint and assess exposure; enable enhanced logging on this endpoint. Within 7 days: Deploy WAF rules to block SQL injection patterns targeting the contact activities endpoint; consider temporary API rate limiting or IP whitelisting. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today