CVE-2025-49136
June 09, 2025
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the "env" and "expandenv" template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the "{{ env }}" template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
Affected Packages
https://github.com/knadh/listmonk.git (GITHUB):
Affected version(s) >=v4.0.0 <v5.0.2Fix Suggestion:
Update to version v5.0.2github.com/knadh/listmonk (GO):
Affected version(s) >=v4.0.0 <v5.0.2Fix Suggestion:
Update to version v5.0.2Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements Used in a Template Engine
EPSS
Base Score:
35.14
