We've released a new stable version of phpList. This version is a security update, that fixes a vulnerability that was found in the FCKeditor that is shipped with phpList. We strongly advise everyone to upgrade to this release.

The vulnerability allows a remote attacker to upload a file to the server and run a script locally as the user that the webserver runs as. Once they have managed to do this, they are potentially able to exploit local vulnerabilities to elevate their permissions. It is therefore quire a servious issue.

Other changes are listed in the release notes.