CVE-2026-21483

Medium CVSS: 5.4

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.

Vendor

Nadh

Product

Listmonk

CWE

CWE-79

Yayın Tarihi

2026-01-02 21:16:03

Güncelleme

2026-02-25 15:20:58

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Listmonk MEDIUM Nadh 2026

Referanslar

https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565

Benzer Kayıtlar

High

CVE-2025-58430

listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every…

Critical

CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to versi…

Medium

CVE-2025-46011

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers…