Vulnerability Details CVE-2026-28226
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.5%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-28226
-
cpe:2.3:a:phishing.club:phishing_club:*