CVE-2025-46011

MEDIUM

listmonk 2.4.0-4.1.0 - SQL Injection in QuerySubscribers Function

Title source: llm

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

Core 5

Core References

Third Party Advisory

Patch

Issue Tracking, Mitigation

Release Notes

Release Notes

CVSS v3 6.5

EPSS 0.0025

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

CWE

CWE-89

Status published

Products (1)

nadh/listmonk 2.4.0 - 5.0.0

Published Jun 04, 2025

Tracked Since Feb 18, 2026