Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-JMR4-P576-V565.md

Created January 28, 2026 11:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/1eeb22f113dec4fa80688822227d15fb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/1eeb22f113dec4fa80688822227d15fb to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-JMR4-P576-V565: listmonk: From Humble Campaign Manager to Super Admin via XSS - CVE Security Report
Raw
GHSA-JMR4-P576-V565.md

GHSA-JMR4-P576-V565: listmonk: From Humble Campaign Manager to Super Admin via XSS

CVSS Score: 5.4 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-JMR4-P576-V565

Summary

listmonk, a self-hosted newsletter manager, contains a classic Stored Cross-Site Scripting (XSS) vulnerability that allows a low-privileged user to achieve full administrative control. By embedding malicious JavaScript into a campaign or template, an attacker can execute code in a Super Admin's browser context. The vulnerability is made more severe by a 'no-click' attack vector through the public archive feature, where an admin simply visiting a link can trigger a full account takeover. The provided patch only partially addresses the issue, leaving a potential attack vector wide open.

TL;DR

A low-privilege user in listmonk can inject JavaScript into a campaign. When an admin views it, the script runs, silently creating a new admin account for the attacker. The fix patches the admin preview but explicitly leaves the public archive vector potentially vulnerable.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CWE Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low (Campaign Management)
  • CVSS v4.0 Score: 5.4 (Medium)
  • Impact: Privilege Escalation to Super Admin, Account Takeover
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • listmonk
  • listmonk: < 6.0.0 (Fixed in: 6.0.0)

Mitigation

  • Upgrade to listmonk version 6.0.0 or newer immediately.
  • Implement a strict, whitelist-based HTML sanitization library for all user-provided content before rendering.
  • Deploy a strong Content Security Policy (CSP) to block inline scripts and untrusted script sources.
  • Review and enforce the principle of least privilege for all user roles, especially those with content creation permissions.
  • Regularly audit campaign and template content for suspicious scripts or HTML.

Remediation Steps:

  1. Take the listmonk instance offline or place it in maintenance mode.
  2. Back up the application data and database.
  3. Follow the official listmonk documentation to upgrade to version 6.0.0 or the latest stable release.
  4. After upgrading, conduct a thorough audit of all user accounts, especially Super Admin accounts, to identify any unauthorized accounts created via this exploit.
  5. Review existing campaigns and templates for any malicious payloads and remove them.
  6. Bring the application back online and monitor logs for any suspicious activity.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment