Vulnerability Description
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phishing.Club | Phishing Club | < 1.30.2 |
Related Weaknesses (CWE)
References
- https://github.com/phishingclub/phishingclub/commit/c7e666da9a71cd519f317cbf67adPatch
- https://github.com/phishingclub/phishingclub/security/advisories/GHSA-4r69-4qff-ExploitVendor Advisory
FAQ
What is CVE-2026-28226?
CVE-2026-28226 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in ve...
How severe is CVE-2026-28226?
CVE-2026-28226 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28226?
Check the references section above for vendor advisories and patch information. Affected products include: Phishing.Club Phishing Club.