← Voltar para CVEs
CVE-2026-3105
HIGH7.6
Descricao
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org
Detalhes CVE
Pontuacao CVSS v3.17.6
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado2/24/2026
Ultima modificacao2/27/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
acquia:mautic
Fraquezas (CWE)
CWE-89
Referencias
https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93(security@mautic.org)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.