Primary

Context

Mautic SQL Injection Vulnerability in Contact Activity API Sorting

Vulnerability

Patched

A SQL injection vulnerability has been identified in Mautic's API endpoint for retrieving contact activities. This issue arises because the parameter that determines the sort direction was not properly validated against an allowlist. As a result, authenticated users could potentially inject arbitrary SQL commands through the API. This vulnerability affects Mautic versions 2.10.0 and later.

Impact

Exploitation of this vulnerability allows for SQL injection, where an authenticated user can manipulate SQL queries to execute arbitrary SQL commands. This could lead to unauthorized data access or modification.

Remediation

Users are advised to update to Mautic versions 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.

Added: Feb 24, 2026, 8:30 PM

Updated: Feb 24, 2026, 9:56 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mautic SQL Injection Vulnerability in Contact Activity API Sorting

Vulnerability

Impact

Remediation

Affected Products

Mautic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating