phpList 3.5.7 released: security enforcements on the authentication process


phpList 3.5.7 is now available for installation. This release introduces security enforcements on the authentication process.

You can update your phpList installation using the Automatic Updater, or you can download it directly from SourceForge.

Fixes to look for:

  • Dashboard page title has been renamed from “Upgrade phpList” to “Update database” to avoid confusion. Thanks to @hktang for the Pull Request 4.
  • Session fixation: The application now generates a new session key upon authentication to avoid unauthenticated users to obtain key on a legitimate user.
  • Sanitise the browser trail cookie to prevent cross-site scripting.


This release is the work of @hktang and other Open Source community members who have submitted bug reports and valuable feedback, as well as phpList Ltd. developers. To get involved in phpList development, check out the developer resources pages.

Report any issues you find with phpList 4 core or REST API  to the corresponding repo on GitHub. Please read the contribution guide on how to contribute to these modules.


Need help upgrading your phpList server to the newest version? Ask the community at Professional support from community experts, as well as manuals, source code, and developer resources, can be found at Report all bugs to the bugtracker!

Want to focus on campaigns and forget hosting headaches? Sign up at for an account with everything included. Send from 300 free messages to 30 million messages per month — simple.

Leave a Reply