CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

GHSA-JMR4-P576-V565
5.4

listmonk: From Humble Campaign Manager to Super Admin via XSS

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·8 min read·11 visits

PoC Available

Executive Summary (TL;DR)

A low-privilege user in listmonk can inject JavaScript into a campaign. When an admin views it, the script runs, silently creating a new admin account for the attacker. The fix patches the admin preview but explicitly leaves the public archive vector potentially vulnerable.

listmonk, a self-hosted newsletter manager, contains a classic Stored Cross-Site Scripting (XSS) vulnerability that allows a low-privileged user to achieve full administrative control. By embedding malicious JavaScript into a campaign or template, an attacker can execute code in a Super Admin's browser context. The vulnerability is made more severe by a 'no-click' attack vector through the public archive feature, where an admin simply visiting a link can trigger a full account takeover. The provided patch only partially addresses the issue, leaving a potential attack vector wide open.

Fix Analysis (1)

Technical Appendix

CVSS Score
5.4/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

Affected Systems

listmonk

Affected Versions Detail

Product
Affected Versions
Fixed Version
listmonk
knadh
< 6.0.06.0.0
AttributeDetail
CWE IDCWE-79
CWE NameImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow (Campaign Management)
CVSS v4.0 Score5.4 (Medium)
ImpactPrivilege Escalation to Super Admin, Account Takeover
Exploit StatusProof-of-Concept
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1059.007JavaScript
Execution
T1190Exploit Public-Facing Application
Initial Access
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This allows an attacker to inject malicious scripts into web pages viewed by other users, leading to code execution in the victim's browser.

Vulnerability Timeline

Fix was committed to the repository.
2025-12-31
CVE-2026-21483 was officially published.
2026-01-02

References & Sources

  • [1]GitHub Advisory: Stored XSS in campaign and template editors
  • [2]NVD Entry for CVE-2026-21483
Related Vulnerabilities
CVE-2026-21483

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.