Description
Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
Published: 2026-02-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection (Blind) with potential data exfiltration
Action: Patch Immediately
AI Analysis

Impact

Phishing Club exposes a blind SQL injection vulnerability in the GetOrphaned recipient listing endpoint. The endpoint builds a raw SQL query by concatenating a user‑controlled sortBy value directly into an ORDER BY clause, without validating the input. A user who is authenticated to the application can supply an arbitrary ORDER BY expression and forges SQL that is executed, allowing data extraction from the underlying database. This is a CWE‑89 flaw that can compromise confidentiality of all data accessed by the system.

Affected Systems

Phishing Club (phishingclub) versions before 1.30.2 are affected. Any deployment of the open‑source phishing simulation framework with a version earlier than v1.30.2 is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a significant risk when exploited by an authenticated attacker. EPSS indicates a very low probability of exploitation, but the possibility exists for users with valid credentials. The issue is not listed in CISA’s KEV catalog. An attacker can leverage the flaw to read sensitive data if they can authenticate to the application; the impact is limited to systems where the GetOrphaned recipient listing endpoint is exposed and users have authentication.

Generated by OpenCVE AI on April 16, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Phishing Club to version 1.30.2 or later to apply the fix that validates ORDER BY input
  • If an immediate upgrade is not possible, restrict access to the GetOrphaned recipient listing endpoint to only privileged accounts to reduce the attack surface
  • Review and minimize database user privileges to limit the amount of data an attacker can retrieve if the vulnerability is exploited

Generated by OpenCVE AI on April 16, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Phishing.club
Phishing.club phishing Club
CPEs cpe:2.3:a:phishing.club:phishing_club:*:*:*:*:*:*:*:*
Vendors & Products Phishing.club
Phishing.club phishing Club

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Phishingclub
Phishingclub phishingclub
Vendors & Products Phishingclub
Phishingclub phishingclub

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description Phishing Club is a phishing simulation and man-in-the-middle framework. Prior to version 1.30.2, an authenticated SQL injection vulnerability exists in the GetOrphaned recipient listing endpoint in versions prior to v1.30.2. The endpoint constructs a raw SQL query and concatenates the user-controlled sortBy value directly into the ORDER BY clause without allowlist validation. Because unknown values are silently passed through `RemapOrderBy()`, an authenticated attacker can inject SQL expressions into the `ORDER BY` clause. This issue was patched in v1.30.2 by validating the order-by column against an allowlist and clearing unknown mappings.
Title Phishing Club has Authenticated Blind SQL Injection in GetOrphaned Recipient Listing
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Phishing.club Phishing Club
Phishingclub Phishingclub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:18:06.714Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28226

cve-icon Vulnrichment

Updated: 2026-02-27T18:18:01.390Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.570

Modified: 2026-03-03T00:44:26.760

Link: CVE-2026-28226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses