CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Published: Jun 9, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-49136
GHSA: GHSA-jc7g-x28f-3v3h
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWEs:

CWE-1336

Affected Software
References

Software	From	Fixed in
github.com/knadh/listmonk	4.0.0	5.0.2
nadh / listmonk	4.0.0	5.0.2

https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e
https://github.com/knadh/listmonk/releases/tag/v5.0.2
https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h

Vulnerability Database

CVE-2025-49136

Deep Security Visibility Without the Complexity