PatchSiren cyber security CVE debrief
CVE-2026-4776 Mautic CVE debrief
An authenticated SQL injection vulnerability exists in Mautic's API contact filtering mechanism. The root cause is insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering and inject arbitrary SQL commands. The vulnerability was published on 2026-05-29 and carries a HIGH severity CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L). The affected weakness is CWE-89 (SQL Injection). The vendor status is currently marked as deferred in the NVD with an unknown vendor assignment requiring review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Mautic
- Product
- Mautic
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Mautic marketing automation platforms with API access enabled, security teams responsible for web application and API security, database administrators managing Mautic backend infrastructure, and compliance teams tracking vulnerability remediation for customer data protection.
Technical summary
The vulnerability stems from a failure to recursively sanitize nested query parameters in Mautic's API contact filtering functionality. An authenticated attacker can craft nested API requests where inner parameter structures evade the application's input filtering layer, allowing direct injection of arbitrary SQL into backend database queries. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) reflects that exploitation requires low-privileged authenticated network access with no user interaction, yielding high confidentiality impact and low availability impact. The integrity impact is scored as none. The official advisory reference is maintained by Mautic's security team via GitHub Security Advisory GHSA-fcmw-wx57-9p75.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches from the Mautic security advisory when available, prioritizing API endpoint hardening
- Review and implement recursive input validation for all nested query parameters in API contact filtering endpoints
- Restrict API access to trusted authenticated users and enforce principle of least privilege
- Monitor database query logs for anomalous patterns indicative of SQL injection attempts
- Conduct code review of parameter sanitization routines to ensure nested structures are fully traversed and sanitized
Evidence notes
CVE description confirms authenticated SQL injection via nested query parameter bypass in Mautic API contact filtering. CVSS vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, with high confidentiality impact and low availability impact. Official reference points to GitHub Security Advisory GHSA-fcmw-wx57-9p75 from [email protected]. NVD status is 'Deferred' with vendor marked unknown.
Official resources
-
CVE-2026-4776 CVE record
CVE.org
-
CVE-2026-4776 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29