Listmonk

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-21483 MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-58430 HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Listmonk Suse
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-49136 CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Information Disclosure Privilege Escalation Listmonk Suse
NVD GitHub
CVSS 3.1
9.0
EPSS
41.3%
Threat
4.5
CVE-2025-46011 MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21483
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
CVE-2025-58430
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Listmonk +1
NVD GitHub
CVE-2025-49136
EPSS 41% 4.5 CVSS 9.0
CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Information Disclosure Privilege Escalation Listmonk +1
NVD GitHub
CVE-2025-46011
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy