VDB
CVE-2026-21483
CVE-2026-21483
PUBLISHED
CVSS 5.400000095367432 MEDIUM
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
EPSS 0.01% · 0.5th percentile
Risk Scores
CVSS v4.0
5.400000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P
EPSS Score
0.01%
0.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| knadh | listmonk | * |
| github.com | knadh/listmonk | 0, 1.1.1 |
| nadh | listmonk | 0 |
Timeline
- Jan 2, 2026 CVE Published
- Jan 3, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 13, 2026 EPSS Score
- Jan 16, 2026 EPSS Score
- Jan 20, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 24, 2026 PoC Published
- Jan 26, 2026 EPSS Score
- Jan 29, 2026 EPSS Score
References
- https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-21483 advisory
- https://github.com/knadh/listmonk/commit/74dc5a01cfbb12cf218cb33ddad8410c53e2e915 url
- https://github.com/knadh/listmonk package
- https://github.com/knadh/listmonk/releases/tag/v6.0.0 url