PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62361 knadh CVE debrief

CVE-2026-62361 is a SQL injection vulnerability in listmonk's GET /api/subscribers/export endpoint. An authenticated user with subscribers:sql_query and subscribers:get_all permissions can inject user-controlled query parameters, enabling them to read arbitrary database tables and execute data-modifying PostgreSQL CTEs. The issue was fixed in version 6.2.0. This vulnerability has a medium severity and could allow an attacker to access sensitive data or modify database contents. Users of listmonk versions prior to 6.2.0 should be aware of this vulnerability and take immediate action to upgrade to version 6.2.0 or apply compensating controls.

Vendor
knadh
Product
listmonk
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of listmonk versions prior to 6.2.0 who have subscribers:sql_query and subscribers:get_all permissions should be aware of this vulnerability and take immediate action to upgrade to version 6.2.0 or apply compensating controls. This includes operators, platform administrators, vulnerability management teams, and security teams who are responsible for ensuring the security of listmonk deployments.

Technical summary

The vulnerability exists in the GET /api/subscribers/export endpoint of listmonk, where user-controlled query parameters are injected into QuerySubscribersForExport in internal/core/subscribers.go without proper validation. This allows an authenticated user with specific permissions to read arbitrary database tables, such as users and settings, and execute data-modifying PostgreSQL CTEs. The issue was fixed in version 6.2.0. Affected product deployments should be identified in managed environments, and owners should review official advisories or CVE records to validate affected scope, severity, and vendor guidance. Compensating controls, such as monitoring and exception tracking, should be implemented for exposed systems while remediation is scheduled and verified.

Defensive priority

High due to potential for data exposure and modification, and because an authenticated user with specific permissions can exploit this vulnerability. Immediate action is necessary to prevent potential attacks, especially in environments where listmonk is used to manage sensitive data or has access to critical systems. Defenders should prioritize upgrading to version 6.2.0 or applying compensating controls to mitigate the risk of exploitation. Additionally, defenders should review monitoring, detection, and logs for exposed assets that need extra review, and track exceptions and retest remediated assets to ensure the vulnerability is fully addressed. The high priority also reflects the potential for lateral movement and data breaches if the vulnerability is exploited. Therefore, defenders should conduct inventory checks to identify potentially affected systems and implement compensating controls, such as monitoring and exception tracking, to detect and respond to potential attacks. Finally, defenders should consider the potential impact on business operations and prioritize remediation efforts accordingly. The priority level is also influenced by the fact that the CVE record has a medium severity score, but the actual impact of the vulnerability could be higher depending on the specific use case and environment. Overall, a high defensive priority is warranted to ensure the security and integrity of listmonk deployments. The recommended actions provided below should be implemented as soon as possible to mitigate the risk of exploitation. The actions include upgrading to version 6.2.0 or later, restricting permissions for subscribers:sql_query and subscribers:get_all, implementing compensating controls, conducting inventory checks, and tracking exceptions and retesting remediated assets. By taking these steps, defenders can reduce the risk of exploitation and protect their listmonk deployments from potential attacks. The high defensive priority reflects the need for immediate action to prevent potential attacks and minimize the impact of a successful exploitation. Therefore, defenders should not delay in implementing the recommended actions to address this high-p

Recommended defensive actions

  • Upgrade to listmonk version 6.2.0 or later
  • Restrict permissions for subscribers:sql_query and subscribers:get_all
  • Implement compensating controls, such as monitoring and exception tracking
  • Conduct inventory checks to identify potentially affected systems
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-15T21:16:55.933Z and last modified on 2026-07-16T16:19:16.103Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it mentions that the issue was fixed in version 6.2.0. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T21:16:55.933Z and has not been modified since then. The NVD entry is currently Deferred.