CVE-2025-49136

Published: Jun 9, 2025

Modified: Jun 10, 2025

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Vendor	Product	Versions
knadh	listmonk	affected `>= 4.0.0, < 5.0.2`

Weaknesses (CWE)

CWE-1336

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h

x_refsource_CONFIRM

https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e

x_refsource_MISC

https://github.com/knadh/listmonk/releases/tag/v5.0.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-49136

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References