listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/knadh/listmonkGo | >= 1.1.1, < 6.0.0 | 6.0.0 |
github.com/knadh/listmonkGo | < 1.1.1-0.20251231125615-74dc5a01cfbb | 1.1.1-0.20251231125615-74dc5a01cfbb |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/knadh/listmonkpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 1.1.1, < 6.0.0+ 1 more
- (no CPE)range: >= 1.1.1, < 6.0.0
- (no CPE)range: < 0.0.20260114T191543-150000.1.137.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jmr4-p576-v565ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21483ghsaADVISORY
- github.com/knadh/listmonk/commit/74dc5a01cfbb12cf218cb33ddad8410c53e2e915ghsaWEB
- github.com/knadh/listmonk/releases/tag/v6.0.0ghsaWEB
- github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.