Skip to main content

Listmonk

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-21483 Go MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-58430 Go HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF Listmonk Suse
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-49136 Go CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Privilege Escalation Information Disclosure Listmonk Suse
NVD GitHub
CVSS 3.1
9.0
EPSS
41.3%
Threat
4.5
CVE-2025-46011 MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21483 Go
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Listmonk before version 6.0.0 allows authenticated users with campaign management permissions to inject malicious JavaScript that executes when administrators preview campaigns or templates, enabling privilege escalation attacks such as creating backdoor admin accounts. Public exploit code exists for this vulnerability, and the attack surface expands through the public archive feature where victims need only visit a link to trigger the payload. Version 6.0.0 addresses this flaw, though patches are currently unavailable for earlier versions.

XSS Listmonk Suse
NVD GitHub
CVE-2025-58430 Go
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF Listmonk +1
NVD GitHub
CVE-2025-49136 Go
EPSS 41% 4.5 CVSS 9.0
CRITICAL POC PATCH THREAT Act Now

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Privilege Escalation Information Disclosure Listmonk +1
NVD GitHub
CVE-2025-46011
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.

SQLi Listmonk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy