Skip to main content

Listmonk CVE-2025-49136

| EUVDEUVD-2025-17462 CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2025-06-09 security-advisories@github.com GHSA-jc7g-x28f-3v3h
Critical
Disputed · 9.0 NVD
Share

Severity by source

Sources disagree (Low–Critical)
GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SUSE
3.1 LOW
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17462
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
Patch released
Mar 14, 2026 - 19:21 nvd
Patch available
PoC Detected
Jul 11, 2025 - 17:23 vuln.today
Public exploit code
CVE Published
Jun 09, 2025 - 17:15 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

AnalysisAI

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 9.0 indicates critical severity with likely remote exploitation vector. Affects version 4.0.0 and.

RemediationAI

Apply the vendor-supplied patch immediately.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Affected
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2025-49136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy