CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e	Patch
https://github.com/knadh/listmonk/releases/tag/v5.0.2	Release Notes
https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h	Exploit Vendor Advisory
https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*

History

11 Jul 2025, 17:23

Type	Values Removed	Values Added
References	~~() https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e -~~	() https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e - Patch
References	~~() https://github.com/knadh/listmonk/releases/tag/v5.0.2 -~~	() https://github.com/knadh/listmonk/releases/tag/v5.0.2 - Release Notes
References	~~() https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h -~~	() https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h - Exploit, Vendor Advisory
CWE		NVD-CWE-noinfo
First Time		Nadh listmonk Nadh
CPE		cpe:2.3:a:nadh:listmonk::::::::

10 Jun 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h -~~	() https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h -
Summary		(es) Listmonk es un gestor de boletines y listas de correo independiente y autoalojado. A partir de la versión 4.0.0 y anteriores a la 5.0.2, las funciones de plantilla `env` y `expandenv`, habilitadas por defecto en Sprig, permiten la captura de variables de entorno en el host. Si bien esto puede no ser un problema en instalaciones de un solo usuario (superadministrador), en instalaciones multiusuario, permite a los usuarios sin superadministrador con permisos de campaña o plantilla usar la expresión de plantilla `{{ env }}` para capturar variables de entorno sensibles. Los usuarios deben actualizar a la versión 5.0.2 para mitigar el problema.

09 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-09 17:15

Updated : 2025-07-11 17:23

NVD link : CVE-2025-49136

Mitre link : CVE-2025-49136

CVE.ORG link : CVE-2025-49136

JSON object : View

Products Affected

nadh

listmonk

CWE

CWE-1336 NVD-CWE-noinfo

9.0 /10