Severity: Critical
CVSS Score: 9.8
phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports.