CVE-2026-28226

Name of the Vulnerable Software and Affected Versions Phishing Club versions prior to 1.30.2

Description Phishing Club is a phishing simulation and man-in-the-middle framework. An authenticated SQL injection issue exists in the GetOrphaned recipient listing endpoint. The endpoint builds a SQL query and adds the user-controlled sortBy value directly into the ORDER BY clause without proper validation. Unknown values are passed through the RemapOrderBy() function, allowing an authenticated attacker to inject SQL expressions into the ORDER BY clause. The issue was addressed by validating the order-by column against an allowlist and removing unknown mappings. The vulnerable endpoint is '/GetOrphaned'.

Recommendations Update to version 1.30.2 or later.