Cross-Site Scripting Vulnerability in Listmonk by Knadh
CVE-2026-21483
5.4MEDIUM
What is CVE-2026-21483?
Listmonk is a self-hosted newsletter and mailing list manager that is vulnerable to Cross-Site Scripting (XSS) attacks. Prior to version 6.0.0, users with lower privileges who manage campaigns can insert malicious JavaScript into campaign content or templates. When viewed by higher-privileged users, such as Super Admins, this malicious script executes in their browsers, enabling attackers to perform unauthorized actions, including the creation of backdoor admin accounts. Furthermore, this vulnerability can be exploited via the public archive feature, requiring victims to only visit a link without prior content preview, making it particularly dangerous. The issue has been addressed in version 6.0.0.
Affected Version(s)
listmonk < 6.0.0
