{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mautic--7.0.0--7.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4776"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mautic (\u003e= 2.6.0, \u003c= 4.4.13)","Mautic (\u003e= 5.0.0, \u003c 5.2.11)","Mautic (\u003e= 6.0.0, \u003c 6.0.9)","Mautic (\u003e= 7.0.0, \u003c 7.1.2)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","mautic","ghsa"],"_cs_type":"advisory","_cs_vendors":["Mautic"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability (CVE-2026-4776) has been identified in Mautic, an open-source marketing automation platform. This flaw specifically impacts the API contact filtering mechanism, stemming from inadequate recursive sanitization of nested query parameters. Attackers can exploit this by crafting malicious API requests containing SQL injection payloads, which bypass Mautic's input filtering. The vulnerability allows an authenticated user with API access to execute arbitrary SQL commands against the underlying database. This could lead to unauthorized retrieval of sensitive information, including user credentials, system configurations, and personally identifiable information (PII) of contacts, thereby compromising data confidentiality and integrity. The issue affects Mautic versions from 2.6.0 up to 4.4.13, and specific ranges within 5.x, 6.x, and 7.x, with patches released in versions 7.1.2, 6.0.9, 5.2.11, and 4.4.20.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains valid credentials for a Mautic user account with API access permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI Request Crafting\u003c/strong\u003e: The attacker crafts a specially malformed API request targeting Mautic's contact filtering endpoint (e.g., \u003ccode\u003e/api/contacts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSQL Payload Injection\u003c/strong\u003e: The malicious request includes an SQL injection payload embedded within nested query parameters, designed to bypass Mautic's existing input sanitization for CVE-2026-4776.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBackend Processing\u003c/strong\u003e: Mautic's API processes the request, and due to the vulnerability, fails to properly sanitize the injected SQL commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSQL Execution\u003c/strong\u003e: The unsanitized SQL payload is executed directly against the backend database server (e.g., MySQL, PostgreSQL).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The malicious SQL query extracts sensitive information from the database, such as administrator credentials, system configurations, or PII.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Retrieval\u003c/strong\u003e: The extracted sensitive data is returned as part of the legitimate API response, allowing the authenticated attacker to retrieve it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4776 grants an authenticated user with API access the ability to execute arbitrary SQL queries against Mautic's backend database. This has severe implications, as it enables unauthorized access and retrieval of sensitive database contents. This includes, but is not limited to, user credentials (potentially including hashed passwords), critical system configurations, and all personal identifiable information (PII) stored for marketing contacts. This bypasses standard data access permissions, potentially exposing millions of records in larger Mautic deployments and leading to significant data breaches, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-4776 immediately\u003c/strong\u003e: Upgrade Mautic to one of the patched versions: 7.1.2, 6.0.9, 5.2.11, or 4.4.20.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement WAF rules\u003c/strong\u003e: Deploy a Web Application Firewall (WAF) and configure rules to detect and block common SQL injection patterns, especially those targeting query parameters of Mautic API endpoints as outlined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict API access\u003c/strong\u003e: If immediate patching is not possible, temporarily disable Mautic API access or restrict API permissions to only highly trusted accounts as a mitigation described in the brief.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor webserver logs\u003c/strong\u003e: Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-4776 by monitoring your webserver logs for suspicious API requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:36:30Z","date_published":"2026-07-03T11:36:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mautic-sql-injection-api/","summary":"An SQL injection vulnerability, tracked as CVE-2026-4776, exists in Mautic's API contact filtering mechanism due to insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering, inject arbitrary SQL commands, and retrieve sensitive database contents such as user credentials, system configurations, and personal identifiable information (PII), bypassing standard data access permissions.","title":"Mautic API SQL Injection Vulnerability (CVE-2026-4776)","url":"https://feed.craftedsignal.io/briefs/2026-07-mautic-sql-injection-api/"}],"language":"en","title":"CraftedSignal Threat Feed - Mautic (\u003e= 7.0.0, \u003c 7.1.2)","version":"https://jsonfeed.org/version/1.1"}