CVE-2026-3105

Name of the Vulnerable Software and Affected Versions Mautic versions 4.4.19 through 5.2.9 Mautic versions 6.0.0 through 6.0.7 Mautic versions 7.0.0 through 7.0.0

Description A SQL injection issue exists in the API endpoint used for retrieving contact activities. The vulnerability is located in the query construction for the Contact Activity timeline, where the parameter controlling sort direction lacks proper validation against an allowlist. This allows authenticated users to potentially inject arbitrary SQL commands via the API. The vulnerable parameter is related to the sort direction functionality.

Recommendations Update to Mautic version 4.4.19 or later. Update to Mautic version 5.2.10 or later. Update to Mautic version 6.0.8 or later. Update to Mautic version 7.0.1 or later.