← Volver a CVEs
CVE-2026-3105
HIGH7.6
Descripcion
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org
Detalles CVE
Puntuacion CVSS v3.17.6
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado2/24/2026
Ultima modificacion2/27/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
acquia:mautic
Debilidades (CWE)
CWE-89
Referencias
https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93(security@mautic.org)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.