CVE-2025-49136
CRITICALlistmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
CVSS v3
9
CRITICAL
EPSS Score
61.8%
exploit probability
CISA KEV
No
known exploited
Exploitation
poc
SSVC status
Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive env
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 6/9/2025
- Last Modified
- 7/11/2025
Frequently Asked Questions
What is CVE-2025-49136?
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive env
Is CVE-2025-49136 actively exploited?
A proof-of-concept exploit exists for CVE-2025-49136, but active exploitation has not been confirmed at this time.
What is the CVSS score for CVE-2025-49136?
CVE-2025-49136 has a CVSS v3 base score of 9 (CRITICAL severity), with vector string 3.1.
Is CVE-2025-49136 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.