Cyber Resilience

CVE-2026-3105

High

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0029 20.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3105 is a high-severity SQL Injection (CWE-89) vulnerability in Acquia Mautic. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3105 is a SQL injection vulnerability (CWE-89) affecting Mautic, an open-source marketing automation platform. The issue resides in the API endpoint used for retrieving contact activities, specifically in the query construction for the Contact Activity timeline. The parameter responsible for determining the sort direction is not strictly validated against an allowlist, enabling the injection of arbitrary SQL commands via the API. The vulnerability was published on 2026-02-24 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

Authenticated users with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows attackers to inject arbitrary SQL commands, potentially leading to high confidentiality impacts such as unauthorized data disclosure, low integrity impacts like data modification, and low availability impacts.

The Mautic security advisory recommends updating to version 4.4.19, 5.2.10, 6.0.8, 7.0.1, or later to mitigate the vulnerability, with no workarounds available. Additional details are provided in the GitHub Security Advisory at https://github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93, and questions can be directed to security@mautic.org.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly…

more

validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in the authenticated but network-accessible Mautic API endpoint directly enables T1190 (Exploit Public-Facing Application) for data disclosure or modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-47051Same product: Acquia Mautic
CVE-2024-47053Same product: Acquia Mautic
CVE-2025-14472Same vendor: Acquia
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89

Affected Assets

acquia
mautic
2.10.0 — 4.4.19 · 5.0.0 — 5.2.10 · 6.0.0 — 6.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like the sort direction parameter against an allowlist or strict rules, directly preventing SQL injection in the API query construction.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching to the recommended versions.

prevent

SI-9 enforces restrictions on inputs to reject invalid values for parameters like sort direction, addressing the lack of strict allowlist validation in the Contact Activity API endpoint.

References