Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Endpoint is network-reachable but requires two specific high-privilege permissions (PR:H); arbitrary table reads yield full confidentiality loss; CTE-based DML enables partial writes (I:L); no availability impact described.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to 6.2.0, listmonk’s GET /api/subscribers/export endpoint injects the user-controlled query parameter into QuerySubscribersForExport in internal/core/subscribers.go without calling validateQueryTables, unlike GET /api/subscribers, allowing an authenticated user with subscribers:sql_query and subscribers:get_all to read arbitrary database tables such as users and settings and execute data-modifying PostgreSQL CTEs. This issue is fixed in version 6.2.0.
AnalysisAI
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session in listmonk with both the subscribers:sql_query permission (which enables custom SQL expressions in subscriber filtering) and the subscribers:get_all permission (which enables access to the export endpoint). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N accurately characterises the attack profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated listmonk user who holds both subscribers:sql_query and subscribers:get_all permissions submits a crafted SQL expression - for example, a WITH cte AS (SELECT * FROM users) SELECT * FROM cte - as the query parameter to GET /api/subscribers/export. Because ExportSubscribers omits the validateQueryTables call, the injected expression is executed directly against the PostgreSQL backend, returning the full contents of the users table including hashed passwords and API tokens. … |
| Remediation | Upgrade listmonk to version 6.2.0 or later, which resolves the vulnerability via the fix in commit c0a6525009a65265230185f16e8674dcc83aa024; the release is available at https://github.com/knadh/listmonk/releases/tag/v6.2.0 and the advisory is at https://github.com/knadh/listmonk/security/advisories/GHSA-xgjr-7j9q-2h4r. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44815