← Zuruck zu CVEs
CVE-2026-34828
HIGH7.1
Beschreibung
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
CVE Details
CVSS v3.1 Bewertung7.1
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht4/2/2026
Zuletzt geandert4/3/2026
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-613
Referenzen
https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e(security-advisories@github.com)
https://github.com/knadh/listmonk/releases/tag/v6.1.0(security-advisories@github.com)
https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.