GHSA-R5J5-Q42H-FC93

Vulnerability from github – Published: 2026-02-25 19:28 – Updated: 2026-02-25 19:28
VLAI?
Summary
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting
Details

Summary

This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.

Mitigation

Please update to 5.2.10, 6.0.8, 7.0.1 or later.

Workarounds

None.

References

If there are any questions or comments about this advisory:

Email Mautic at security@mautic.org

Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "5.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha"
            },
            {
              "fixed": "6.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-alpha"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-3105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T19:28:39Z",
    "nvd_published_at": "2026-02-24T20:27:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThis advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.\n\n### Mitigation\n\nPlease update to **5.2.10**, **6.0.8**, **7.0.1** or later.\n\n### Workarounds\n\nNone.\n\n### References\n\nIf there are any questions or comments about this advisory:\n\nEmail Mautic at [security@mautic.org](mailto:security@mautic.org)",
  "id": "GHSA-r5j5-q42h-fc93",
  "modified": "2026-02-25T19:28:39Z",
  "published": "2026-02-25T19:28:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3105"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/releases/tag/5.2.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/releases/tag/6.0.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/releases/tag/7.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.