CVE-2025-46011 is a medium-severity SQL Injection vulnerability identified in Listmonk version 4.1.0, which has been addressed in version 5.0.0. The vulnerability exists in the QuerySubscribers function, a component likely responsible for querying subscriber data within the Listmonk application. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized before being included in SQL queries, allowing attackers to manipulate the query logic. In this case, exploitation could allow an attacker to escalate privileges by injecting malicious SQL code, potentially accessing or modifying subscriber data beyond their authorized scope. The CVSS 3.1 base score is 6.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality and integrity impact (C:L/I:L), with no impact on availability (A:N). No known exploits are currently reported in the wild. The vulnerability was reserved in April 2025 and published in June 2025. No patch links are provided, but upgrading to Listmonk v5.0.0 or later is recommended to remediate the issue.

For European organizations using Listmonk 4.1.0, this vulnerability poses a risk of unauthorized access and privilege escalation within subscriber management systems. Given Listmonk's role in managing mailing lists and subscriber data, exploitation could lead to unauthorized disclosure or modification of personal data, potentially violating GDPR requirements. The confidentiality and integrity of subscriber information could be compromised, undermining trust and possibly resulting in regulatory penalties. Although availability is not impacted, the breach of subscriber data could facilitate further attacks such as phishing or social engineering. Organizations relying on Listmonk for marketing or communication may face reputational damage and operational disruption if attackers leverage this vulnerability to manipulate subscriber lists or send unauthorized communications.

European organizations should immediately verify their Listmonk version and upgrade to version 5.0.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, implement strict input validation and parameterized queries in the QuerySubscribers function to prevent SQL Injection. Employ Web Application Firewalls (WAFs) with rules targeting SQL Injection patterns specific to Listmonk queries. Conduct thorough code reviews and penetration testing focusing on database query functions. Monitor logs for unusual query patterns or access attempts to subscriber data. Additionally, restrict database user permissions to the minimum necessary to limit the impact of any injection attempts. Regularly update and patch Listmonk installations and maintain an inventory of affected systems to ensure timely remediation.