VYPR
High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026

SQL Injection in Contact Activity API Sorting

CVE-2026-3105

Description

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.

MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.

WorkaroundsNone.

ReferencesIf you have any questions or comments about this advisory:

Email us at security@mautic.org

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mautic/corePackagist
>= 2.10.0, < 5.2.105.2.10
mautic/corePackagist
>= 6.0.0-alpha, < 6.0.86.0.8
mautic/corePackagist
>= 7.0.0-alpha, < 7.0.17.0.1

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.