CVE-2025-58430

MEDIUM

listmonk <1.1.0 - CSRF

Title source: llm

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.

References (1)

[Exploit, Third Party Advisory] https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w

Scores

CVSS v3 6.1

EPSS 0.0002

EPSS Percentile 3.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-80 CWE-352 CWE-79

Status published

Affected Products (2)

nadh/listmonk < 1.1.0

knadh/listmonk Go

Timeline

Published Sep 09, 2025

Tracked Since Feb 18, 2026