CVE-2025-28074

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-28074
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/mLniumm/CVE-2025-28074 Third Party Advisory
https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php Product
https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 Product
https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ Release Notes
Configurations

Configuration 1 (hide)

cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*
History

16 Jun 2025, 18:39

Type Values Removed Values Added
First Time Phplist
Phplist phplist
References () https://github.com/mLniumm/CVE-2025-28074 - () https://github.com/mLniumm/CVE-2025-28074 - Third Party Advisory
References () https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php - () https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php - Product
References () https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 - () https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 - Product
References () https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ - () https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ - Release Notes
CPE cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*

07 Jun 2025, 15:15

Type Values Removed Values Added
Summary (en) phpList prior to 3.6.3 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript. (en) phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
References
  • () https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15 -
  • () https://www.phplist.org/newslist/phplist-3-6-15-release-notes/ -

12 May 2025, 22:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
CWE CWE-79

12 May 2025, 17:32

Type Values Removed Values Added
Summary
  • (es) Las versiones anteriores a phpList 3.6.3 son vulnerables a ataques de cross site scripting (XSS) debido a una depuración incorrecta de la entrada en lt.php. Esta vulnerabilidad se puede explotar cuando la aplicación hace referencia dinámicamente a rutas internas y procesa entradas no confiables sin escapar, lo que permite a un atacante inyectar JavaScript malicioso.

08 May 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-08 21:15

Updated : 2025-06-16 18:39

NVD link : CVE-2025-28074

Mitre link : CVE-2025-28074

CVE.ORG link : CVE-2025-28074

JSON object : View

Products Affected

phplist

  • phplist
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')