Description

Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.

INFO

Published Date :

2026-02-26T22:43:05.629Z

Last Modified :

2026-02-27T18:18:06.714Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28226 vulnerability.

Vendors Products
Phishing.club
  • Phishing Club
Phishingclub
  • Phishingclub
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28226.

URL Resource
https://github.com/phishingclub/phishingclub/commit/c7e666da9a71cd519f317cbf67ade10068a33070 cve-icon cve-icon
https://github.com/phishingclub/phishingclub/security/advisories/GHSA-4r69-4qff-ccj3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact