Skip to main content

Listmonk

6 CVEs product

Monthly

CVE-2026-62361 MEDIUM PATCH This Month

SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.

SQLi PostgreSQL Listmonk
NVD GitHub
CVSS 3.1
5.5
CVE-2026-34584 MEDIUM PATCH This Month

Listmonk versions 4.1.0 through 6.0.x contain authorization bypass vulnerabilities in list permission checks that allow authenticated users in multi-user environments to access mailing lists they should not have access to. The vulnerability affects only self-hosted deployments with multiple untrusted users and has been patched in version 6.1.0. No public exploit code or active exploitation has been identified at this time.

Authentication Bypass Listmonk
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21483 Go MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-58430 Go HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Listmonk Suse
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-49136 Go CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Information Disclosure Privilege Escalation Listmonk Suse
NVD GitHub
CVSS 3.1
9.0
EPSS
41.3%
Threat
4.5
CVE-2025-46011 MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVSS 5.5
MEDIUM PATCH This Month

SQL injection in listmonk's subscriber export endpoint prior to version 6.2.0 allows a highly-privileged authenticated user to read arbitrary PostgreSQL database tables - including users and settings - and execute data-modifying CTEs. The GET /api/subscribers/export endpoint passed a user-controlled query parameter directly into QuerySubscribersForExport in internal/core/subscribers.go without invoking the validateQueryTables guard that the sibling GET /api/subscribers endpoint correctly applies, creating a bypass of the allowlist-based table restriction. Exploitation requires possession of both the subscribers:sql_query and subscribers:get_all permissions; no public exploit code has been identified at time of analysis.

SQLi PostgreSQL Listmonk
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Listmonk versions 4.1.0 through 6.0.x contain authorization bypass vulnerabilities in list permission checks that allow authenticated users in multi-user environments to access mailing lists they should not have access to. The vulnerability affects only self-hosted deployments with multiple untrusted users and has been patched in version 6.1.0. No public exploit code or active exploitation has been identified at this time.

Authentication Bypass Listmonk
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Listmonk +1
NVD GitHub
EPSS 41% 4.5 CVSS 9.0
CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Information Disclosure Privilege Escalation Listmonk +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy