Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available.

INFO

Published Date :

2025-09-09T19:37:45.468Z

Last Modified :

2025-09-10T13:55:42.949Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58430 vulnerability.

Vendors Products
Listmok Project
  • Listmonk
Nadh
  • Listmonk
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58430.

URL Resource
https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact