Cyber Resilience

CVE-2025-49136

CriticalPublic PoC

Published: 09 June 2025

Published
09 June 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.6176 98.4th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49136 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Nadh Listmonk. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

listmonk is a self-hosted newsletter and mailing list manager that is affected by CVE-2025-49136 in versions 4.0.0 through 5.0.1. The root cause is the default enabling of the env and expandenv template functions from the Sprig library, which permits arbitrary retrieval of host environment variables through template expressions such as {{ env }}. This occurs in the campaign and template handling components and is tracked under CWE-1336.

In multi-user deployments, any authenticated user granted campaign or template permissions can exploit the flaw to read sensitive environment variables, even without super-admin rights. The CVSS 9.0 score reflects a network-accessible attack with low complexity that can result in high impact to confidentiality, integrity, and availability when chained with other operations.

The official GitHub security advisory GHSA-jc7g-x28f-3v3h and release notes for v5.0.2 direct administrators to upgrade immediately; the patch disables or restricts the problematic template functions. The associated EPSS score has remained flat at 0.6176 with no indicated rise after disclosure.

EU & UK References

Vulnerability details

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While…

more

this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nadh
listmonk
4.0.0 — 5.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References