CVE-2026-21483

Name of the Vulnerable Software and Affected Versions listmonk versions prior to 6.0.0

Description listmonk is a self-hosted newsletter and mailing list manager. A user with campaign management permissions, but lower privileges, can inject malicious JavaScript into campaigns or templates. When a user with higher privileges (Super Admin) views or previews this content, the JavaScript executes in their browser, potentially allowing the attacker to perform privileged actions, such as creating backdoor admin accounts. The issue can be exploited through the public archive feature, requiring only a link visit from the victim, without needing to preview the content. The vulnerable component is the campaign or template functionality.

Recommendations Update to version 6.0.0 or later.