What is the CVSS score of CVE-2025-49136?

CVE-2025-49136 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 41.3%.

Which versions of Listmonk are affected by CVE-2025-49136?

A critical vulnerability in listmonk (versions 4.0.0 to 5.0.2) allows non-administrative users with campaign or template permissions to extract sensitive environment variables from the hosting…. A patch is available.

Is there a public PoC exploit available for CVE-2025-49136?

Yes, a public proof-of-concept exploit is available for CVE-2025-49136. Prioritise patching immediately. EPSS: 41.3%.

How to fix or mitigate CVE-2025-49136?

Within 24 hours: Identify all listmonk instances in your environment and determine if multi-user access is enabled; restrict template and campaign permissions to trusted administrators only as an interim measure. Within 7 days: Upgrade all affected listmonk instances to version 5.0.2 or later. Within 30 days: Conduct a security audit to identify any unauthorized environment variable access in logs; rotate all sensitive credentials (database passwords, API keys) that may have been exposed.

Listmonk CVE-2025-49136

EUVD-2025-17462 CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2025-06-09 security-advisories@github.com

GHSA-jc7g-x28f-3v3h

Privilege Escalation Information Disclosure Listmonk Suse

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17462

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

Patch released

Mar 14, 2026 - 19:21 nvd

Patch available

PoC Detected

Jul 11, 2025 - 17:23 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 17:15 nvd

CRITICAL 9.0

DescriptionNVD

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

AnalysisAI

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 9.0 indicates critical severity with likely remote exploitation vector. Affects version 4.0.0 and.

RemediationAI

Apply the vendor-supplied patch immediately.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-49136 vulnerability details – vuln.today

Back

Listmonk CVE-2025-49136

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code