An issue exists in phpList up to and including 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
phplist phplist