← Voltar para CVEs
CVE-2026-34828
HIGH7.1
Descricao
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
Detalhes CVE
Pontuacao CVSS v3.17.1
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado4/2/2026
Ultima modificacao4/3/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-613
Referencias
https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e(security-advisories@github.com)
https://github.com/knadh/listmonk/releases/tag/v6.1.0(security-advisories@github.com)
https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.