VYPR
← All advisories
High severity7.1NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-4776

CVE-2026-4776

Description

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated API users can inject arbitrary SQL through nested query parameters in Mautic's contact filtering, bypassing sanitization.

Vulnerability

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. The flaw stems from insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering and inject arbitrary SQL commands. Affected versions include all releases prior to 7.1.2, 6.0.9, 5.2.11, and 4.4.20 (ELTS) [1].

Exploitation

An attacker must have a valid API user account with access to the contact endpoint. By crafting nested query parameters that bypass the sanitization filter, the attacker can inject arbitrary SQL commands into the underlying database query. No further user interaction is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the database, enabling unauthorized retrieval of sensitive data such as user credentials, system configurations, and personally identifiable information (PII) of contacts, bypassing standard data access permissions [1].

Mitigation

Mautic has released fixed versions: 7.1.2, 6.0.9, 5.2.11, and 4.4.20 (ELTS). Users should upgrade to the appropriate patched release immediately. No official workarounds are available; as a temporary measure, administrators may disable API access or restrict API permissions to highly trusted accounts [1].

References
  1. SQL Injection in API Contact Filtering

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Mautic/Mauticinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.