CVE-2026-21483: listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover

January 2, 2026

A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.

The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required.

References

github.com/advisories/GHSA-jmr4-p576-v565
github.com/knadh/listmonk
github.com/knadh/listmonk/commit/74dc5a01cfbb12cf218cb33ddad8410c53e2e915
github.com/knadh/listmonk/releases/tag/v6.0.0
github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565
nvd.nist.gov/vuln/detail/CVE-2026-21483

Code Behaviors & Features

Detect and mitigate CVE-2026-21483 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →