CVE-2025-58430

MEDIUM

listmonk <= 1.1.0 - Cross-Site Scripting via Nonce Bypass

Title source: llm

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w

Scores

CVSS v3 6.1

EPSS 0.0013

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-80 CWE-352 CWE-79

Status published

Products (2)

knadh/listmonk 0Go

nadh/listmonk < 1.1.0

Published Sep 09, 2025

Tracked Since Feb 18, 2026