Go modules package
github.com/knadh/listmonk
pkg:golang/github.com/knadh/listmonk
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34828 | Hig | 7.1 | >= 1.1.1-0.20241028090858-319053dd7a90, < 1.1.1-0.20260329113754-1b5e8d38c778 | 1.1.1-0.20260329113754-1b5e8d38c778 | Apr 2, 2026 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically passwo | |
| CVE-2026-21483 | — | >= 1.1.1, < 6.0.0 | 6.0.0 | Jan 2, 2026 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or preview | ||
| CVE-2025-58430 | — | <= 1.1.0 | — | Sep 9, 2025 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows | ||
| CVE-2025-49136 | — | >= 4.0.0, < 5.0.2 | 5.0.2 | Jun 9, 2025 | listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a |
- affected >= 1.1.1-0.20241028090858-319053dd7a90, < 1.1.1-0.20260329113754-1b5e8d38c778fixed 1.1.1-0.20260329113754-1b5e8d38c778
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically passwo
- CVE-2026-21483Jan 2, 2026affected >= 1.1.1, < 6.0.0fixed 6.0.0
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or preview
- CVE-2025-58430Sep 9, 2025affected <= 1.1.0
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows
- CVE-2025-49136Jun 9, 2025affected >= 4.0.0, < 5.0.2fixed 5.0.2
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a