listmonk: From Humble Campaign Manager to Super Admin via XSS
Jan 2, 2026·8 min read·10 visits
Executive Summary (TL;DR)
A low-privilege user in listmonk can inject JavaScript into a campaign. When an admin views it, the script runs, silently creating a new admin account for the attacker. The fix patches the admin preview but explicitly leaves the public archive vector potentially vulnerable.
listmonk, a self-hosted newsletter manager, contains a classic Stored Cross-Site Scripting (XSS) vulnerability that allows a low-privileged user to achieve full administrative control. By embedding malicious JavaScript into a campaign or template, an attacker can execute code in a Super Admin's browser context. The vulnerability is made more severe by a 'no-click' attack vector through the public archive feature, where an admin simply visiting a link can trigger a full account takeover. The provided patch only partially addresses the issue, leaving a potential attack vector wide open.
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:PAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
listmonk knadh | < 6.0.0 | 6.0.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| CWE Name | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (Campaign Management) |
| CVSS v4.0 Score | 5.4 (Medium) |
| Impact | Privilege Escalation to Super Admin, Account Takeover |
| Exploit Status | Proof-of-Concept |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This allows an attacker to inject malicious scripts into web pages viewed by other users, leading to code execution in the victim's browser.
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.