CVE-2025-49136
Published: 09 June 2025
Summary
CVE-2025-49136 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Nadh Listmonk. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
listmonk is a self-hosted newsletter and mailing list manager that is affected by CVE-2025-49136 in versions 4.0.0 through 5.0.1. The root cause is the default enabling of the env and expandenv template functions from the Sprig library, which permits arbitrary retrieval of host environment variables through template expressions such as {{ env }}. This occurs in the campaign and template handling components and is tracked under CWE-1336.
In multi-user deployments, any authenticated user granted campaign or template permissions can exploit the flaw to read sensitive environment variables, even without super-admin rights. The CVSS 9.0 score reflects a network-accessible attack with low complexity that can result in high impact to confidentiality, integrity, and availability when chained with other operations.
The official GitHub security advisory GHSA-jc7g-x28f-3v3h and release notes for v5.0.2 direct administrators to upgrade immediately; the patch disables or restricts the problematic template functions. The associated EPSS score has remained flat at 0.6176 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17462
Vulnerability details
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While…
more
this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.