🔐 CVE Alert

CVE-2026-62361

MEDIUM 5.5

listmonk: SQL Injection in `/api/subscribers/export` bypasses table access control, leaking admin password hashes and SMTP credentials

CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to 6.2.0, listmonk’s GET /api/subscribers/export endpoint injects the user-controlled query parameter into QuerySubscribersForExport in internal/core/subscribers.go without calling validateQueryTables, unlike GET /api/subscribers, allowing an authenticated user with subscribers:sql_query and subscribers:get_all to read arbitrary database tables such as users and settings and execute data-modifying PostgreSQL CTEs. This issue is fixed in version 6.2.0.

CWE CWE-89
Vendor knadh
Product listmonk
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for knadh listmonk

Be the first to know when new medium vulnerabilities affecting knadh listmonk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

knadh / listmonk
< 6.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/knadh/listmonk/security/advisories/GHSA-xgjr-7j9q-2h4r github.com: https://github.com/knadh/listmonk/commit/c0a6525009a65265230185f16e8674dcc83aa024 github.com: https://github.com/knadh/listmonk/releases/tag/v6.2.0