This vulnerability is a stored cross‑site scripting flaw that allows a low‑privileged user with campaign‑management rights to inject malicious JavaScript into newsletter campaigns or email templates. When a higher‑privileged Super Admin views or previews the malicious content, the browser executes the script in the admin’s context, enabling the attacker to perform privileged actions such as creating back‑door admin accounts or manipulating session data. Because the attack can be triggered via the public archive feature, any visitor who simply opens the advertised link can be exposed, eliminating the need for a targeted preview click.

The vulnerability affects the open‑source newsletter manager Listmonk, distributed by knadh. Versions prior to 6.0.0 are impacted. Lower‑privileged users who can manage campaigns or templates can store the malicious code, while higher‑privileged users (Super Admins) are the ones that experience the XSS when they view or preview the content. Users running any Listmonk instance that has the public archive feature enabled and is publicly accessible are at risk.

The CVSS base score is 5.4, indicating medium impact. EPSS is below 1%, suggesting a very low likelihood of exploitation, though the vulnerability remains significant because any visitor who opens a crafted link will trigger the XSS inside an admin browser. The vulnerability is not listed in CISA’s KEV catalog, so there are no known widespread active exploits. Attackers would need access to a public‑facing Listmonk deployment with public archive enabled and be able to lure a Super Admin into viewing the malicious campaign. If achieved, the attacker can take over administrative functions. Because the flaw relies on stored XSS rather than remote code execution on the server, the risk is confined to the compromise of the admin client, but it still undermines the integrity and availability of the application.