XSS in Knadh Listmonk

CVE-2026-21483

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privi…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (0.5th percentile) — read the EPSS interpretation.