CVE-2025-28074

MEDIUM

phplist < 3.6.15 - Cross-Site Scripting in lt.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-28074. PoCs published by mLniumm.

AI-analyzed exploit summary This repository contains a detailed writeup for CVE-2025-28074, describing a reflected XSS vulnerability in phpList prior to 3.6.3 due to improper input sanitization in lt.php. The vulnerability allows arbitrary JavaScript execution when internal paths are dynamically referenced.

Description

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.

Exploits (1)

nomisec WRITEUP
by mLniumm · poc
https://github.com/mLniumm/CVE-2025-28074

This repository contains a detailed writeup for CVE-2025-28074, describing a reflected XSS vulnerability in phpList prior to 3.6.3 due to improper input sanitization in lt.php. The vulnerability allows arbitrary JavaScript execution when internal paths are dynamically referenced.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: phpList < 3.6.3
No auth needed
Prerequisites: Ability to influence path parameters or similar reference mechanisms in phpList
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0052
EPSS Percentile 39.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
phplist/phplist < 3.6.15
Published May 08, 2025
Tracked Since Feb 18, 2026