Vulnerability Details CVE-2026-34584
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.4%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-34584
-
cpe:2.3:a:nadh:listmonk:4.1.0
-
cpe:2.3:a:nadh:listmonk:5.0.0
-
cpe:2.3:a:nadh:listmonk:5.0.1
-
cpe:2.3:a:nadh:listmonk:5.0.2
-
cpe:2.3:a:nadh:listmonk:5.0.3
-
cpe:2.3:a:nadh:listmonk:5.1.0
-
cpe:2.3:a:nadh:listmonk:6.0.0