CVE-2026-21483
published 2026-01-02CVE-2026-21483: listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.20%
9.8th percentile
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | knadh_listmonk | >= 0 < 1.1.1-0.20251231125615-74dc5a01cfbb | 1.1.1-0.20251231125615-74dc5a01cfbb |
| github.com | knadh_listmonk | >= 1.1.1 < 6.0.0 | 6.0.0 |
| knadh | listmonk | < 6.0.0 | 6.0.0 |
| nadh | listmonk | < 6.0.0 | 6.0.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.4MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover in github.com/knadh/listmonk
osv·2026-01-12
CVE-2026-21483 listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover in github.com/knadh/listmonk
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover in github.com/knadh/listmonk
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover in github.com/knadh/listmonk.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/knadh/listmonk from v1.1.1 before v6.0.0.
OSV
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
osv·2026-01-02
CVE-2026-21483 [MEDIUM] listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
## Security Advisory: Stored XSS Leading to Admin Account Takeover
**Affected Versions:** ≤ 5.1.0
**Vulnerability Type:** CWE-79: Stored Cross-Site Scripting
---
## Summary
A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.
The attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required.
---
## Required Attacker Permissions
```
campaigns:manage - Create/edit campaig
GHSA
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
ghsa·2026-01-02
CVE-2026-21483 [MEDIUM] CWE-79 listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
## Security Advisory: Stored XSS Leading to Admin Account Takeover
**Affected Versions:** ≤ 5.1.0
**Vulnerability Type:** CWE-79: Stored Cross-Site Scripting
---
## Summary
A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.
The attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required.
---
## Required Attacker Permissions
```
campaigns:manage - Create/edit campaig
No detection rules found.
No public exploits indexed.
2026-01-02
Published