What is the CVSS score of CVE-2026-4776?

CVE-2026-4776 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Mautic's API are affected by CVE-2026-4776?

Mautic's API contact filtering contains an authenticated SQL injection vulnerability (CVE-2026-4776, CVSS 7.1, no public exploit identified at time of analysis).

How to fix or mitigate CVE-2026-4776?

Within 24 hours: verify all Mautic instances in use and determine affected versions; audit all active API integrations and document legitimate uses. Within 7 days: restrict API access to essential integrations only, rotate all Mautic API credentials, and enable detailed request logging. Within 30 days: monitor Mautic security advisories for patch availability; contact Mautic support for estimated patch release timeline; evaluate network segmentation if high-risk integrations cannot be immediately restricted.

Mautic's API CVE-2026-4776

EUVD-2026-33256 HIGH

SQL Injection (CWE-89)

2026-05-29 Mautic

SQLi

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 08:15 vuln.today

DescriptionCVE.org

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

Articles & Coverage 1

medium.com CVE-2026-4776: Mautic API Recursive Reference Vulnerability Enables API Exploitation Jun 02, 2026

AnalysisAI

Authenticated SQL injection in Mautic's API contact filtering allows API users to execute arbitrary SQL by abusing insufficient recursive sanitization of nested query parameters. The flaw (CWE-89) yields full read access to database contents and partial availability impact, but requires valid API credentials (PR:L). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: verify all Mautic instances in use and determine affected versions; audit all active API integrations and document legitimate uses. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4776 vulnerability details – vuln.today

Back