CVE-2026-3105
Published: 24 February 2026
Summary
CVE-2026-3105 is a high-severity SQL Injection (CWE-89) vulnerability in Acquia Mautic. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3105 is a SQL injection vulnerability (CWE-89) affecting Mautic, an open-source marketing automation platform. The issue resides in the API endpoint used for retrieving contact activities, specifically in the query construction for the Contact Activity timeline. The parameter responsible for determining the sort direction is not strictly validated against an allowlist, enabling the injection of arbitrary SQL commands via the API. The vulnerability was published on 2026-02-24 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
Authenticated users with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows attackers to inject arbitrary SQL commands, potentially leading to high confidentiality impacts such as unauthorized data disclosure, low integrity impacts like data modification, and low availability impacts.
The Mautic security advisory recommends updating to version 4.4.19, 5.2.10, 6.0.8, 7.0.1, or later to mitigate the vulnerability, with no workarounds available. Additional details are provided in the GitHub Security Advisory at https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93, and questions can be directed to security@mautic.org.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8548
Vulnerability details
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly…
more
validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the authenticated but network-accessible Mautic API endpoint directly enables T1190 (Exploit Public-Facing Application) for data disclosure or modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs like the sort direction parameter against an allowlist or strict rules, directly preventing SQL injection in the API query construction.
SI-2 mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching to the recommended versions.
SI-9 enforces restrictions on inputs to reject invalid values for parameters like sort direction, addressing the lack of strict allowlist validation in the Contact Activity API endpoint.