cbcvebase.
CVE-2026-3105
published 2026-02-24

CVE-2026-3105: SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.29%
20.6th percentile
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at [email protected]

Affected

8 ranges
VendorProductVersion rangeFixed in
acquiamautic>= 2.10.0 < 4.4.194.4.19
acquiamautic>= 5.0.0 < 5.2.105.2.10
acquiamautic>= 6.0.0 < 6.0.86.0.8
acquiamautic>= 7.0.0 < 7.0.17.0.1
mauticcore>= 2.10.0 < 5.2.105.2.10
mauticcore>= 6.0.0-alpha < 6.0.86.0.8
mauticcore>= 7.0.0-alpha < 7.0.17.0.1
mauticmautic>= >= 2.10.0 < < 4.4.19 <5.2.10 <6.0.8 <7.0.1< 4.4.19 <5.2.10 <6.0.8 <7.0.1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable parameter controls sort direction in the Contact Activity timeline API endpoint — monitor API requests where the sort direction parameter contains SQL metacharacters or keywords (e.g., values other than 'ASC'/'DESC') as evidence of injection attempts.
  • Focus detection on the Contact Activity timeline API endpoint in Mautic (mautic/core). Authenticated requests to this endpoint with anomalous sort-direction parameter values should be flagged.
  • ·Exploitation requires authentication; unauthenticated users cannot trigger this SQL injection.
  • ·Affected package is mautic/core. Fixed versions are 4.4.19, 5.2.10, 6.0.8, and 7.0.1 or later. No workarounds are available.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.