CVE-2025-28074: XSS
First published: Thu May 08 2025(Updated: )
phpList prior to 3.6.3 is vulnerable to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. The vulnerability is exploitable when the application dynamically references internal paths and processes untrusted input without escaping, allowing an attacker to inject malicious JavaScript.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHPList | <3.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-28074?
CVE-2025-28074 has a medium severity due to its potential for Cross-Site Scripting (XSS) attacks.
How do I fix CVE-2025-28074?
To fix CVE-2025-28074, upgrade phpList to version 3.6.3 or later to ensure proper input sanitization.
What is affected by CVE-2025-28074?
CVE-2025-28074 affects phpList versions prior to 3.6.3.
Can CVE-2025-28074 lead to data breaches?
Yes, CVE-2025-28074 can lead to data breaches if an attacker successfully exploits the XSS vulnerability.
How is CVE-2025-28074 exploited?
CVE-2025-28074 can be exploited by injecting malicious JavaScript through improperly sanitized user inputs in lt.php.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/source
- agent/tags
- agent/event
- vendor/phplist
- canonical/phplist