CVE-2025-28074 is a Cross-Site Scripting (XSS) vulnerability affecting phpList versions prior to 3.6.15. PhpList is an open-source newsletter and email campaign management software widely used for managing mailing lists and sending bulk emails. The vulnerability arises from improper input sanitization in the lt.php script, which dynamically references internal paths and processes untrusted input without adequate escaping or validation. This flaw allows an attacker to inject malicious JavaScript code into the application. When a victim user accesses the compromised page or resource, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely over the network without requiring authentication, but it does require user interaction, such as clicking a crafted link or viewing a malicious email. The CVSS v3.1 base score is 6.1 (medium severity), reflecting a network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, and it impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches or vendor advisories are linked yet. The underlying weakness corresponds to CWE-79, which is a common and well-understood XSS category caused by insufficient input validation and output encoding.

For European organizations using phpList for email marketing or internal communications, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to theft of session cookies, unauthorized access to user accounts, or manipulation of displayed content. This can undermine trust in the organization's communications, lead to data leakage, and facilitate further attacks such as phishing or malware distribution. Since phpList is often used by small to medium enterprises, non-profits, and public sector entities, the impact could extend to sensitive subscriber data and internal mailing lists. The vulnerability does not directly affect system availability but compromises confidentiality and integrity of user interactions. Given the network-exploitable nature and the medium CVSS score, attackers could leverage this flaw in targeted phishing campaigns or automated scanning to compromise users who interact with maliciously crafted links or emails. European organizations with less mature patch management or security awareness programs are particularly at risk.

Organizations should immediately upgrade phpList to version 3.6.15 or later once available, as this will contain the necessary input sanitization fixes. Until patches are applied, administrators should implement strict input validation and output encoding on all user-supplied data, especially in the lt.php script or any dynamic path references. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting phpList endpoints. Additionally, organizations should educate users to be cautious with unexpected links or emails and employ email security gateways to filter malicious content. Monitoring web server logs for suspicious requests to lt.php or unusual query parameters can help detect attempted exploitation. Implementing Content Security Policy (CSP) headers can also mitigate the impact of injected scripts by restricting allowable script sources. Finally, regular security assessments and code reviews of custom phpList integrations should be conducted to identify and remediate similar input validation issues.