QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-58430

Back to search

CVE-2025-58430

Published: Sep 9, 2025

Modified: Sep 10, 2025

PUBLISHED

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.

VendorProductVersions

knadh

listmonk

affected
<= 1.1.0

Weaknesses (CWE)

CWE-80
CWE-352
CWE-79

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now