CVE Tools

phplist

Communicationsoss-project

29

Cumulative CVEs

6

Monthly snapshots

#47

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting phplist.

CVE-2025-28074phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal...6.1May 8, 2025
CVE-2025-28073phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which ...6.1May 8, 2025
CVE-2023-27576An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the...6.7Aug 18, 2023
CVE-2017-20036PHPList Bounce Rule Persistent cross site scriting3.5Jun 10, 2022
CVE-2017-20035PHPList Subscribe Persistent cross site scriting3.5Jun 10, 2022
CVE-2017-20034PHPList List Name Persistent cross site scriting3.5Jun 10, 2022
CVE-2017-20033PHPList Reflected cross site scriting4.3Jun 10, 2022
CVE-2017-20032PHPList Subscription sql injection6.3Jun 10, 2022
CVE-2017-20031PHPList information disclosure2.7Jun 10, 2022
CVE-2017-20030PHPList Sending Campain sql injection4.7Jun 10, 2022
CVE-2017-20029PHPList Edit Subscription index.php sql injection7.3Jun 10, 2022
CVE-2020-22249Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip file, Uploading a malicious plugin which contains the php files wit...9.8Jul 6, 2021
CVE-2020-22251Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admin.4.8Jul 6, 2021
CVE-2020-36399A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "rule1" parameter under the "Boun...5.4Jul 2, 2021
CVE-2020-36398A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the "Campaign" field under the "Send ...5.4Jul 2, 2021