phpList/phplist3

phpList/phplist3

www.phplist.org

Releases88

Frequency1 month 1 week

Last Release 12 months ago

Stars848

Fully functional Open Source email marketing manager for creating, sending, integrating, and analysing email campaigns and newsletters.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-28074 ↗	May 8, 2025Thursday, 8 May 2025, 21:15	6.1 MEDIUM	—
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
CVE-2025-28073 ↗	May 8, 2025Thursday, 8 May 2025, 20:15	6.1 MEDIUM	—
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject arbitrary JavaScript code by manipulating the id parameter, which is improperly sanitized.
CVE-2020-23361 ↗	Jan 27, 2021Wednesday, 27 January 2021, 16:15	9.8 CRITICAL	7.5 HIGH
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
CVE-2020-12639 ↗	May 4, 2020Monday, 4 May 2020, 14:15	6.1 MEDIUM	4.3 MEDIUM
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.