Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.
AnalysisAI
Listmonk versions 4.1.0 through 6.0.x contain authorization bypass vulnerabilities in list permission checks that allow authenticated users in multi-user environments to access mailing lists they should not have access to. The vulnerability affects only self-hosted deployments with multiple untrusted users and has been patched in version 6.1.0. No public exploit code or active exploitation has been identified at this time.
Technical ContextAI
Listmonk is a self-hosted newsletter and mailing list management application. The vulnerability stems from improper authorization controls (CWE-639: Authorization Bypass Through User-Controlled Key) in the list permission validation logic. In multi-user environments where different users should have isolated or role-based access to specific mailing lists, the application fails to properly enforce these access controls across different scenarios. This allows an authenticated user to directly access or manipulate lists owned by or assigned to other users by circumventing or bypassing the permission checks. The affected CPE (cpe:2.3:a:knadh:listmonk:*:*:*:*:*:*:*:*) indicates the vulnerability impacts the Knadh Listmonk product across a range of versions.
RemediationAI
Upgrade Listmonk to version 6.1.0 or later to apply the patch. This is the primary and recommended remediation. Organizations unable to upgrade immediately should restrict access to the Listmonk instance to trusted users only and disable multi-user functionality if possible, though this is a temporary mitigation rather than a complete fix. For detailed upgrade instructions and full advisory information, consult the GitHub security advisory at https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv and the release notes for version 6.1.0 at https://github.com/knadh/listmonk/releases/tag/v6.1.0.
A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41%
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnera
Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject ma
Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers
SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated u
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18450