Product
An SQL injection vulnerability, tracked as CVE-2026-4776, exists in Mautic's API contact filtering mechanism due to insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering, inject arbitrary SQL commands, and retrieve sensitive database contents such as user credentials, system configurations, and personal identifiable information (PII), bypassing standard data access permissions.