phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
{ "cpes": [ "cpe:2.3:a:phplist:phplist:3.5.9:*:*:*:*:*:*:*" ], "severity": "High" }