CVE-2026-3105

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-3105

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3105.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-3105

Aliases

GHSA-r5j5-q42h-fc93

Published

2026-02-24T20:27:50.713Z

Modified

2026-02-28T08:05:20.428333Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.

MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.

WorkaroundsNone.

ReferencesIf you have any questions or comments about this advisory:

Email us at security@mautic.org

References

https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93

Affected packages

Git / github.com/mautic/mautic

Affected ranges

Type: GIT
Repo: https://github.com/mautic/mautic
Events: Introduced

12f062e87dd1c470893724b12be7b623ecd22f2b

Fixed

fc6a8054b7e10d0be3665eb5ae4909980c3a207d

Introduced

21ab270a3516635551d7464fc604f4e5e1ae3aea

Fixed

f6f1a670deccff533796378b889298705494d421

Introduced

96b53794017cde917e1e4262ebaaae5099e3586a

Fixed

4c29f1e00d821fe120b96d1727b96abaaf2ff8c0

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.1.0

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

7.*

7.0.0

7.0.0-alpha

7.0.0-beta

7.0.0-rc

7.0.0-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3105.json"