- Description
- phpList before 3.6.15 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 3.1
- Type
- Secondary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-79
- Hype score
- Not currently trending
🟠 phpList, Cross-Site Scripting (XSS), #CVE-2025-28074 (Medium) https://t.co/rjEQkNDXq2
@dailycve
16 Jun 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-28074 phpList prior to 3.6.3 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application… https://t.co/Dje2bn8ljF
@CVEnew
8 May 2025
270 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phplist:phplist:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "90C24A84-C600-49C0-B0A9-65C69BEA3F2C",
"versionEndExcluding": "3.6.15"
}
],
"operator": "OR"
}
]
}
]