Knadh Listmonk vulnerabilities
5 known vulnerabilities affecting knadh/listmonk.
Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2025-49136P3MEDIUMCVSS 6.5PoCv>= 4.0.0, < 5.0.22025-06-09
CVE-2025-49136 [MEDIUM] CWE-1336 CVE-2025-49136: listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user inst
nvd
CVE-2026-34828P3HIGHCVSS 7.1v>= 4.1.0, < 6.1.02026-04-02
CVE-2026-34828 [HIGH] CWE-613 CVE-2026-34828: listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to be
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already ob
nvd
CVE-2026-34584P4MEDIUMCVSS 5.4v>= 4.1.0, < 6.1.02026-04-02
CVE-2026-34584 [MEDIUM] CWE-639 CVE-2026-34584: listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to be
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has
nvd
CVE-2026-21483P4MEDIUMCVSS 5.4fixed in 6.0.02026-01-02
CVE-2026-21483 [MEDIUM] CWE-79 CVE-2026-21483: listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0,
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the a
nvd
CVE-2025-58430P4MEDIUMCVSS 6.1≤ 1.1.02025-09-09
CVE-2025-58430 [MEDIUM] CWE-79 CVE-2025-58430: listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and in
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if
nvd