CVE-2025-58430

Name of the Vulnerable Software and Affected Versions listmonk versions 1.1.0 and earlier

Description listmonk, a standalone newsletter and mailing list manager, is susceptible to a chain of vulnerabilities involving Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). Specifically, the nonce value included in HTTP requests, alongside the session cookie session, is not validated by the backend. Removing this nonce allows requests to be processed, which, when combined with other vulnerabilities, can lead to critical issues such as improper admin account creation. The lack of a SameSite cookie policy further exacerbates the risk, potentially enabling exploitation through malicious websites. Exploitation involves chaining CSRF and XSS to execute arbitrary code in the victim's browser, ultimately allowing an attacker to create new administrative accounts.

Recommendations Versions prior to 1.1.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.