What is CVE-2025-58430?

CVE-2025-58430 is a vulnerability in Knadh Listmonk, classified under Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). Published 2025-09-09.

Is CVE-2025-58430 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Knadh Listmonk

CVE-2025-58430

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validate…

EPSS: 0.000 (8.2th percentile) — read the EPSS interpretation.

Affected products

Knadh Listmonk — versions <= 1.1.0

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-352 — Cross-Site Request Forgery (CSRF)
CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/knadh/listmonk/security/advisories/GHSA-rf24-wg77-gq7w (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-58430?: CVE-2025-58430 is a vulnerability in Knadh Listmonk, classified under Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). Published 2025-09-09.
Is CVE-2025-58430 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.