CVE-2025-28074

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-28074

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28074.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-28074

Published

2025-05-08T21:15:50.200Z

Modified

2026-04-10T05:25:07.366380Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.

References

Affected packages

Git / github.com/phplist/phplist3

Affected ranges

Type

GIT

Repo

https://github.com/phplist/phplist3

Events

Introduced

Fixed

8bfc783f8e98432435500e6d0b46d7ff8da42e9b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.15"
        }
    ]
}

Affected versions

3.*

3.2.0

3.2.0-RC1

3.3.6

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.5.0

3.5.1

3.5.2

3.5.3

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.6.0

3.6.1

3.6.2

v.*

v.3.3.5

v.3.3.8

v3.*

v3.2.1

v3.2.7

v3.6.11

v3.6.11-RC1

v3.6.12

v3.6.12-RC

v3.6.12-RC2

v3.6.15-RC1

v3.6.15-RC2

v3.6.3

v3.6.3-RC1

v3.6.3-RC2

v3.6.4-RC2

v3.6.5

v3.6.6

v3.6.6-RC3

v3.6.7-RC1

v3.6.7-RC2

v3.6.8

v3.6.8-RC1

v3.6.8-RC2

v3.6.9-RC1

v3.6.9-RC2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28074.json"