Vulnerabilities

CVE-2026-21483 - listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover

2026-01-02 0 views admin

CVE ID : CVE-2026-21483 Published : Jan. 2, 2026, 9:16 p.m. | 52 minutes ago Description : listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2026-21483

Severity

MEDIUM

Published

Jan. 2, 2026

Impact: XSS

Source: Telegram CVE Monitor

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2026-21483medium

CVE-2026-21483 - listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2026-0571 - yeqifu warehouse AppFileUtils.java createResponseEntity path traversal

CVE-2026-21447 - Bagisto has IDOR in Customer Order Reorder Functionality

CVE-2026-21448 - Bagisto has Normal & Blind SSTI from low-privilege user when ordering product

CVE-2026-21451 - Bagisto has HTML Filter Bypass that Enables Stored XSS

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting