CVE-2026-21483
Stored XSS in listmonk Campaigns Enables Admin Account Takeover
Publication date: 2026-01-02
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nadh | listmonk | to 6.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21483 is a Stored Cross-Site Scripting (XSS) vulnerability in listmonk versions up to 5.1.0. A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaign content or templates. When a higher-privileged user (like a Super Admin) views or previews this content, the malicious script executes in their browser, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can also be triggered automatically via the public campaign archive feature by simply visiting a crafted link. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of the listmonk application. An attacker with limited permissions can escalate their privileges by injecting malicious scripts that execute in the context of higher-privileged users. This allows the attacker to create backdoor admin accounts, export all subscriber data, modify SMTP settings, delete campaigns, and access API keys and secrets, severely impacting the security and integrity of the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying malicious JavaScript injections in campaign bodies or templates created by lower-privileged users. You can inspect the stored campaign content and templates for suspicious <script> tags or unusual template syntax such as {{ ` | Safe }}. Additionally, monitoring HTTP requests to the public campaign archive URLs for unusual or crafted links that trigger the XSS payload can help. Specific commands depend on your environment, but for example, you can use grep or similar tools to search for suspicious script tags in the listmonk database exports or files. Example command: grep -r '<script' /path/to/listmonk/data or grep -r '{{ ` | Safe }}' /path/to/listmonk/data. Also, reviewing web server logs for unusual access patterns to campaign archive URLs may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade listmonk to version 6.0.0 or later, where this vulnerability is fixed. Until the upgrade, restrict campaign management permissions to trusted users only, and avoid using the public campaign archive feature to prevent automatic execution of malicious scripts. Additionally, review and sanitize existing campaign and template content to remove any injected malicious JavaScript. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.