Hi all.

Upon scanning for vulnerabilities on the latest phplist (3.6.7) the following were found:

  • CVE-2020-35708: SQL injection by admins who provide a crafted fourth line of a file to the ‘Config - Import Administrators’ page
  • CVE-2021-3188: CSV injection, related to the email parameter, and /lists/admin/ exports

As they are quite old at this time i was wondering when can they be patched?



Hi Alex,

Regarding reporting a security issue please see .
Reporting it directly gives us the best chance of identifying what occurred and remediating it immediately protecting our service.


This is being discussed further here:

Bottom line, the scanner being used is outdated (by the looks of it)