CVE-2025-28074

Published: May 8, 2025Modified: Jun 16, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.

Affected (1)

Products: Phplist: Phplist

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Phplist Phplist	Before 3.6.15

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/mLniumm/CVE-2025-28074

Source: cve@mitre.org

Third Party Advisory

https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php

Source: cve@mitre.org

Product

https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15

Source: cve@mitre.org

Product

https://www.phplist.org/newslist/phplist-3-6-15-release-notes/

Source: cve@mitre.org

Release Notes

Timeline

No history available yet.