CVE-2025-28074

MEDIUM

Phplist < 3.6.15 - XSS

Title source: rule

Description

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.

Exploits (1)

nomisec WRITEUP

by mLniumm · poc

https://github.com/mLniumm/CVE-2025-28074

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://github.com/mLniumm/CVE-2025-28074

[Product] https://github.com/phpList/phplist3/blob/main/public_html/lists/lt.php

[Product] https://github.com/phpList/phplist3/compare/v3.6.14...v3.6.15

[Release Notes] https://www.phplist.org/newslist/phplist-3-6-15-release-notes/

Scores

CVSS v3 6.1

EPSS 0.0030

EPSS Percentile 53.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phplist/phplist < 3.6.15

Published May 08, 2025

Tracked Since Feb 18, 2026