Skip to main content

Phplist

18 CVEs product

Monthly

CVE-2025-28074 MEDIUM This Month

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Phplist
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2025-28073 MEDIUM This Month

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Phplist
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-27576 MEDIUM POC This Month

An issue was discovered in phpList before 3.6.14. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Phplist
NVD GitHub
CVSS 3.1
6.7
EPSS
0.3%
CVE-2021-3188 CRITICAL POC Act Now

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Phplist
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-35708 HIGH POC This Week

phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Phplist
NVD
CVSS 3.1
7.2
EPSS
1.5%
CVE-2020-15073 MEDIUM POC This Month

An issue was discovered in phpList through 3.5.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Phplist
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-15072 HIGH POC This Week

An issue was discovered in phpList through 3.5.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Phplist
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2020-13827 MEDIUM POC This Month

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Phplist
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-12639 MEDIUM This Month

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Phplist
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2020-8547 CRITICAL POC Act Now

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Phplist
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
5.9%
CVE-2014-2916 MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Phplist
NVD VulDB
CVSS 2.0
6.8
EPSS
0.2%
CVE-2012-5228 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
7.7%
CVE-2012-2741 MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 12.5%.

XSS Phplist
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
12.5%
CVE-2012-2740 HIGH POC PATCH This Week

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Phplist
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
6.1%
CVE-2012-4247 MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Phplist
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
5.1%
CVE-2012-4246 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
7.1%
CVE-2012-3953 HIGH POC PATCH This Week

SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Phplist
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
1.4%
CVE-2012-3952 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB
CVSS 2.0
2.6
EPSS
9.7%
EPSS 0% CVSS 6.1
MEDIUM This Month

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Phplist
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS Phplist
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM POC This Month

An issue was discovered in phpList before 3.6.14. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Phplist
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Phplist
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Phplist
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

An issue was discovered in phpList through 3.5.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Phplist
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in phpList through 3.5.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Phplist
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Phplist
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Phplist
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL POC Act Now

phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Phplist
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote attackers to hijack the authentication of administrators via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Phplist
NVD VulDB
EPSS 8% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB
EPSS 13% CVSS 4.3
MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject arbitrary web script or HTML via the num parameter in a reconcileusers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 12.5%.

XSS Phplist
NVD Exploit-DB
EPSS 6% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Phplist
NVD Exploit-DB
EPSS 5% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) remote_user, (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Phplist
NVD Exploit-DB
EPSS 7% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter; or the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL commands via the delete parameter to the editattributes page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Phplist
NVD Exploit-DB
EPSS 10% CVSS 2.6
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary web script or HTML via the unconfirmed parameter to the user page. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Phplist
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy