CVE-2026-3105HIGH 8.8EPSS p20.4%

CVE-2026-3105CVE-2026-3105

Description

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.29% probability of exploitation · percentile 20.4% · 2026-06-19T12:03:05Z
Published2026-02-24
Last modified2026-02-27

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21630
CVE
CVE-2026-22336
CVE
CVE-2025-67830
CVE
CVE-2025-67829
CVE
CVE-2025-28967
CVE
CVE-2026-27743
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.