phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.
phplist phplist 3.6.0