CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*

History

11 Jul 2025, 17:23

Type Values Removed Values Added
References () https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e - () https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e - Patch
References () https://github.com/knadh/listmonk/releases/tag/v5.0.2 - () https://github.com/knadh/listmonk/releases/tag/v5.0.2 - Release Notes
References () https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h - () https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h - Exploit, Vendor Advisory
CWE NVD-CWE-noinfo
First Time Nadh listmonk
Nadh
CPE cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*

10 Jun 2025, 14:15

Type Values Removed Values Added
References () https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h - () https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h -
Summary
  • (es) Listmonk es un gestor de boletines y listas de correo independiente y autoalojado. A partir de la versión 4.0.0 y anteriores a la 5.0.2, las funciones de plantilla `env` y `expandenv`, habilitadas por defecto en Sprig, permiten la captura de variables de entorno en el host. Si bien esto puede no ser un problema en instalaciones de un solo usuario (superadministrador), en instalaciones multiusuario, permite a los usuarios sin superadministrador con permisos de campaña o plantilla usar la expresión de plantilla `{{ env }}` para capturar variables de entorno sensibles. Los usuarios deben actualizar a la versión 5.0.2 para mitigar el problema.

09 Jun 2025, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-06-09 17:15

Updated : 2025-07-11 17:23


NVD link : CVE-2025-49136

Mitre link : CVE-2025-49136

CVE.ORG link : CVE-2025-49136


JSON object : View

Products Affected

nadh

  • listmonk