CVE-2025-58430
published 2025-09-09CVE-2025-58430: listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.13%
2.7th percentile
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | knadh_listmonk | 0 – 1.1.0 | — |
| knadh | listmonk | <= 1.1.0 | — |
| nadh | listmonk | <= 1.1.0 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk
osv·2025-09-17
CVE-2025-58430 listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover in github.com/knadh/listmonk
OSV
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
osv·2025-09-09
CVE-2025-58430 [HIGH] listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
### Summary
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
### Details
During a security evaluation of the webapp, every http request in addition to the ses
GHSA
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
ghsa·2025-09-09
CVE-2025-58430 [HIGH] CWE-352 listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
### Summary
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
### Details
During a security evaluation of the webapp, every http request in addition to the ses
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-09
Published