CVE-2025-49136 Information

Jun 10, 2025 cve

Description

listmonk is a standalone self-hosted newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2 the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations on multi-user installations this allows non-super-admin users with campaign or template permissions to use the env template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Reference

https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e https://github.com/knadh/listmonk/releases/tag/v5.0.2 https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h

Share on: