QSearchQSearch

CVE-2021-3188

9.8 CRITICAL

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports

Published: 2021-01-26 · Last updated: 2026-06-17

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-1236

Affected products

VendorProduct
phplistphplist

Description

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-5242 Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc (8.8 HIGH)
  • CVE-2025-52612 HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
  • CVE-2026-10248 A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0 (4.7 MEDIUM)
  • CVE-2026-9673 Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which... (6.8 MEDIUM)
  • CVE-2026-41073 RT is an open source, enterprise-grade issue and ticket tracking system (4.6 MEDIUM)