Main Vulnerability Database Vulnerabilities #VU132253

SQL injection in Mautic - CVE-2026-3105

Published: May 25, 2026

Vulnerability identifier: #VU132253

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-3105

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mautic

Affected software:
Mautic

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the Contact Activity API endpoint when processing the sort direction parameter in requests for the contact activity timeline. A remote user can send a specially crafted API request to execute arbitrary SQL commands.

How to mitigate CVE-2026-3105

Install security update from vendor's website.

Sources

https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93

SQL injection in Mautic - CVE-2026-3105

Detailed vulnerability description

How to mitigate CVE-2026-3105

Sources

Please verify you're human