CVE-2026-21483
8.0
Trust Issues: Escalating from Newsletter Editor to God Mode in Listmonk
Alon Barad
Software EngineerJan 2, 2026·6 min read·4 visits
PoC Available
Executive Summary (TL;DR)
Listmonk versions prior to 6.0.0 trusted user input a little too much. By abusing the 'Safe' template filter, an attacker with basic campaign editing rights can inject malicious JavaScript. When an administrator previews this campaign, the script executes, effectively handing over the keys to the kingdom.
A critical Stored XSS vulnerability in the popular self-hosted newsletter manager, listmonk, allows low-privileged users to hijack administrative accounts via unsafe template rendering.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
8.0/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HAffected Systems
listmonk < 6.0.0
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
listmonk listmonk | < 6.0.0 | 6.0.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network (Stored XSS) |
| CVSS v3.1 | 8.0 (High) |
| Privileges Required | Low (campaigns:manage) |
| User Interaction | Required (Admin views preview) |
| Impact | Account Takeover / Privilege Escalation |
MITRE ATT&CK Mapping
CWE-79
Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
Patch Committed
2025-12-31
Public Disclosure & Release
2026-01-02