Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.
References
| Link | Resource |
|---|---|
| https://github.com/kevinroleke/security/tree/main/CVE-2025-46011 | Third Party Advisory |
| https://github.com/knadh/listmonk/commit/4b805f885b9f5a20126ec06f8b59dc448c4af33b | Patch |
| https://github.com/knadh/listmonk/issues/2412 | Issue Tracking Mitigation |
| https://github.com/knadh/listmonk/releases/tag/v4.1.0 | Release Notes |
| https://github.com/knadh/listmonk/releases/tag/v5.0.0 | Release Notes |
Configurations
History
15 Oct 2025, 17:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/kevinroleke/security/tree/main/CVE-2025-46011 - Third Party Advisory | |
| References | () https://github.com/knadh/listmonk/commit/4b805f885b9f5a20126ec06f8b59dc448c4af33b - Patch | |
| References | () https://github.com/knadh/listmonk/issues/2412 - Issue Tracking, Mitigation | |
| References | () https://github.com/knadh/listmonk/releases/tag/v4.1.0 - Release Notes | |
| References | () https://github.com/knadh/listmonk/releases/tag/v5.0.0 - Release Notes | |
| First Time |
Nadh
Nadh listmonk |
|
| CPE | cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:* |
09 Jun 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-04 20:15
Updated : 2025-10-15 17:54
NVD link : CVE-2025-46011
Mitre link : CVE-2025-46011
CVE.ORG link : CVE-2025-46011
JSON object : View
Products Affected
nadh
- listmonk
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')