CVE-2026-4776 PUBLISHED

Assigner: Mautic
Reserved: 24.03.2026 Published: 29.05.2026 Updated: 29.05.2026

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Package Collection	https://packagist.org
Package Name	mautic/core
Versions	Default: unaffected affected from 2.6.0 to 4.4.20 (excl.) affected from 5.0.0 to 5.2.11 (excl.) affected from 6.0.0 to 6.0.9 (excl.) affected from 7.0.0 to 7.1.2 (excl.)

Workarounds

There are no official workarounds. To mitigate this issue without upgrading, you may temporarily disable API access or restrict API permissions to highly trusted accounts.

Credits

Vignesh P (@Senku01) finder
Harish P (@Harish4948) finder
Patryk Gruszka (@patrykgruszka) remediation reviewer
Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

https://github.com/mautic/mautic/security/advisories/GHSA-fcmw-wx57-9p75

Problem Types

CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') CWE

Impacts

CAPEC-66 SQL Injection