How to fix CVE-2025-49136?

Within 24 hours: Identify all listmonk instances in your environment and determine if multi-user access is enabled; restrict template and campaign permissions to trusted administrators only as an interim measure. Within 7 days: Upgrade all affected listmonk instances to version 5.0.2 or later. Within 30 days: Conduct a security audit to identify any unauthorized environment variable access in logs; rotate all sensitive credentials (database passwords, API keys) that may have been exposed.

Is Listmonk affected by CVE-2025-49136?

A critical vulnerability in listmonk (versions 4.0.0 to 5.0.2) allows non-administrative users with campaign or template permissions to extract sensitive environment variables from the hosting server, potentially exposing database credentials, API keys, and other secrets.

CVE-2025-49136

EUVD-2025-17462 CRITICAL

2025-06-09 [email protected]

GHSA-jc7g-x28f-3v3h

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17462

Patch Released

Mar 14, 2026 - 19:21 nvd

Patch available

PoC Detected

Jul 11, 2025 - 17:23 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 17:15 nvd

CRITICAL 9.0

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Analysis

A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.

Technical Context

Vulnerability type not specified by vendor. CVSS 9.0 indicates critical severity with likely remote exploitation vector. Affects version 4.0.0 and.

Affected Products

['version 4.0.0 and']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

106

Low Medium High Critical

KEV: 0

EPSS: +41.3

CVSS: +45

POC: +20

Vendor Status

CVE-2025-49136 vulnerability details – vuln.today

Back

CVE-2025-49136

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-49136

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code