CVE-2025-28074

Name of the Vulnerable Software and Affected Versions phpList versions prior to 3.6.3

Description The issue is related to Cross-Site Scripting (XSS) due to improper input sanitization in lt.php. This allows an attacker to inject malicious JavaScript when the application dynamically references internal paths and processes untrusted input without escaping.

Recommendations For versions prior to 3.6.3, update to version 3.6.3 or later to resolve the issue. As a temporary workaround, consider disabling the dynamic referencing of internal paths in lt.php until a patch is available. Restrict access to untrusted input to minimize the risk of exploitation.