CVE-2026-3105: Mautic SQLi: When "Order By" Becomes "Pwned By"

Mautic SQLi: When "Order By" Becomes "Pwned By" Vulnerability ID: CVE-2026-3105 CVSS Score: 7.6 Published: 2026-02-25 Mautic, the open-source darling of marketing automation, recently patched a high-severity SQL Injection vulnerability (CVE-2026-3105) that turns a mundane API sorting feature into a database exfiltration pipeline. By failing to validate the direction of a sort (ASC/DESC), the application allowed attackers to append arbitrary SQL commands directly into the query structure. This deep dive explores how a classic 'Order By' injection works in modern ORM environments and why input validation remains the unshakeable law of the land. TL;DR Unvalidated input in Mautic's API sort direction parameter allows for Blind SQL Injection via the ORDER BY clause. Attackers can exfiltrate sensitive marketing data. Fixed in versions 4.4.19, 5.2.10, 6.0.8, and 7.0.1. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-89 (SQL Injection) CVSS Score : 7.6 (High) Attack Vector : Network (API