threat
engine
.sh
Back
·
··:··
Home
/
Product
/
phplist
Product
phplist
56 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-28074
< 3.6.15
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability
6.1
MEDIUM
CVE-2025-28073
< 3.6.15
phpList before 3.6.15 is vulnerable to Reflected Cross-Site Scripting (XSS) via the /lists/dl.php endpoint. An attacker can inject
6.1
MEDIUM
CVE-2023-27576
all versions
An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the syste
6.7
MEDIUM
CVE-2017-20036
all versions
A vulnerability, which was classified as problematic, was found in PHPList 3.2.6. Affected is an unknown function of the file /lis
3.5
LOW
CVE-2017-20035
all versions
A vulnerability, which was classified as problematic, has been found in PHPList 3.2.6. This issue affects some unknown processing
3.5
LOW
CVE-2017-20034
all versions
A vulnerability classified as problematic was found in PHPList 3.2.6. This vulnerability affects unknown code of the file /lists/a
3.5
LOW
CVE-2017-20033
all versions
A vulnerability classified as problematic has been found in PHPList 3.2.6. This affects an unknown part of the file /lists/admin/.
4.3
MEDIUM
CVE-2017-20032
all versions
A vulnerability was found in PHPList 3.2.6. It has been rated as critical. Affected by this issue is some unknown functionality of
6.3
MEDIUM
CVE-2017-20031
all versions
A vulnerability was found in PHPList 3.2.6. It has been declared as problematic. Affected by this vulnerability is an unknown func
2.7
LOW
CVE-2017-20030
all versions
A vulnerability was found in PHPList 3.2.6. It has been classified as critical. Affected is an unknown function of the file /lists
4.7
MEDIUM
CVE-2017-20029
all versions
A vulnerability was found in PHPList 3.2.6 and classified as critical. This issue affects some unknown processing of the file /lis
7.3
HIGH
CVE-2020-22251
<= 3.5.3
Cross Site Scripting (XSS) vulnerability in phpList 3.5.3 via the login name field in Manage Administrators when adding a new admi
4.8
MEDIUM
CVE-2020-22249
all versions
Remote Code Execution vulnerability in phplist 3.5.1. The application does not check any file extensions stored in the plugin zip
9.8
CRITICAL
CVE-2020-36399
<= 3.5.4
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or
5.4
MEDIUM
CVE-2020-36398
<= 3.5.4
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows attackers to execute arbitrary web scripts or
5.4
MEDIUM
CVE-2020-23194
<= 3.5.4
A stored cross site scripting (XSS) vulnerability in the "Import Subscribers" feature in phplist 3.5.4 and below allows authentica
5.4
MEDIUM
CVE-2020-23192
<= 3.5.4
A stored cross site scripting (XSS) vulnerability in phplist 3.5.4 and below allows authenticated attackers to execute arbitrary w
5.4
MEDIUM
CVE-2020-23190
all versions
A stored cross site scripting (XSS) vulnerability in the "Import emails" module in phplist 3.5.4 allows authenticated attackers to
5.4
MEDIUM
CVE-2020-23217
all versions
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2020-23214
all versions
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2020-23209
all versions
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2020-23208
all versions
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2020-23207
all versions
A stored cross site scripting (XSS) vulnerability in phplist 3.5.3 allows attackers to execute arbitrary web scripts or HTML via a
5.4
MEDIUM
CVE-2020-23361
all versions
phpList 3.5.3 allows type juggling for login bypass because == is used instead of === for password hashes, which mishandles hashes
9.8
CRITICAL
CVE-2021-3188
all versions
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
9.8
CRITICAL
CVE-2020-35708
all versions
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" p
7.2
HIGH
CVE-2020-15073
<= 3.5.4
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload
5.4
MEDIUM
CVE-2020-15072
<= 3.5.4
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators
8.8
HIGH
CVE-2020-13827
< 3.5.4
phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php.
6.1
MEDIUM
CVE-2020-12639
< 3.5.3
phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php.
6.1
MEDIUM
CVE-2020-8547
all versions
phpList 3.5.0 allows type juggling for admin login bypass because == is used instead of === for password hashes, which mishandles
9.8
CRITICAL
CVE-2014-2916
<= 3.0.5
Cross-site request forgery (CSRF) vulnerability in the subscription page editor (spageedit) in phpList before 3.0.6 allows remote
CVE-2012-5228
<= 2.10.18
Cross-site scripting (XSS) vulnerability in admin/index.php in phplist 2.10.9, 2.10.17, and possibly other versions before 2.10.19
CVE-2012-2741
<= 2.10.17
Cross-site scripting (XSS) vulnerability in public_html/lists/admin/ in phpList before 2.10.18 allows remote attackers to inject a
CVE-2012-2740
<= 2.10.17
SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL
CVE-2012-4247
<= 2.10.18
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to i
CVE-2012-4246
<= 2.10.18
Multiple cross-site scripting (XSS) vulnerabilities in lists/admin/index.php in phpList before 2.10.19 allow remote attackers to i
CVE-2012-3953
<= 2.10.18
SQL injection vulnerability in admin/index.php in phpList before 2.10.19 allows remote administrators to execute arbitrary SQL com
CVE-2012-3952
<= 2.10.18
Cross-site scripting (XSS) vulnerability in admin/index.php in phpList before 2.10.19 allows remote attackers to inject arbitrary
CVE-2011-1682
<= 2.10.13
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the aut
CVE-2011-0748
<= 2.10.12
Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authenti
CVE-2009-4066
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-
CVE-2008-6178
all versions
Unrestricted file upload vulnerability in editor/filemanager/browser/default/connectors/php/connector.php in FCKeditor 2.2, as use
CVE-2009-0422
<= 2.10.8
Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, all
CVE-2008-5887
<= 2.10.7
phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability
CVE-2006-5524
all versions
Cross-site scripting (XSS) vulnerability in index.php in phplist 2.10.2 allows remote attackers to inject arbitrary web script or
CVE-2006-5322
<= 2.10.2
Multiple SQL injection vulnerabilities in phplist before 2.10.3 allow remote attackers to execute arbitrary SQL commands via unspe
CVE-2006-5321
<= 2.10.2
Multiple cross-site scripting (XSS) vulnerabilities in phplist before 2.10.3 allow remote attackers to inject arbitrary web script
CVE-2006-5294
<= 2.10.2
Cross-site scripting (XSS) vulnerability in index.php in phplist before 2.10.3 allows remote attackers to inject arbitrary web scr
CVE-2006-1746
<= 2.10.2
Directory traversal vulnerability in PHPList 2.10.2 and earlier allows remote attackers to include arbitrary local files via the (
CVE-2005-3557
<= 2.10.1
Directory traversal vulnerability in admin/defaults.php in PHPlist 2.10.1 and earlier allows remote attackers to access arbitrary
CVE-2005-3556
<= 2.10.1
Multiple cross-site scripting (XSS) vulnerabilities in PHPlist 2.10.1 and earlier allow remote attackers to inject arbitrary web s
CVE-2005-3555
<= 2.10.1
Multiple SQL injection vulnerabilities in PHPlist 2.10.1 and earlier allow authenticated remote attackers with administrator privi
CVE-2005-2433
all versions
PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domain
CVE-2005-2432
all versions
SQL injection vulnerability in PhpList allows remote attackers to modify SQL statements via the id argument to admin pages such as
CVE-2004-2744
<= 2.8.11
Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has unknown impact and attack vectors, related to a "security up
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin