CVE-2025-28074
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-28074
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28074.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-28074
- Published
- 2025-05-08T21:15:50Z
- Modified
- 2025-06-16T21:18:00.403708Z
- Summary
- [none]
- Details
-
phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
- References
Affected packages
Git / github.com/phplist/phplist3
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phplist/phplist3
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.2.0
3.2.0-RC1
3.3.0
3.3.2
3.3.3
3.3.6
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.4.9
3.5.0
3.5.1
3.5.2
3.5.3
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.6.0
3.6.1
3.6.2
v.*
v.3.2.2
v.3.3.4
v.3.3.5
v.3.3.7
v.3.3.8
v.3.4.2
v3.*
v3.2.1
v3.2.3
v3.2.4
v3.2.7
v3.3.1
v3.3.8
v3.3.9
v3.6.11
v3.6.11-RC1
v3.6.12
v3.6.12-RC
v3.6.12-RC2
v3.6.14
v3.6.14-RC1
v3.6.15-RC1
v3.6.15-RC2
v3.6.3
v3.6.3-RC1
v3.6.3-RC2
v3.6.4-RC2
v3.6.5
v3.6.6
v3.6.6-RC1
v3.6.6-RC2
v3.6.6-RC3
v3.6.6-RC4
v3.6.6-RC5
v3.6.7-RC1
v3.6.7-RC2
v3.6.8
v3.6.8-RC1
v3.6.8-RC2
v3.6.9-RC1
v3.6.9-RC2