cbcvebase.
CVE-2025-49136
published 2025-06-09

CVE-2025-49136: listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv`…

PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
0.91%
55.4th percentile
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comknadh_listmonk>= 4.0.0 < 5.0.25.0.2
knadhlistmonk
nadhlistmonk>= 4.0.0 < 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

command{{ env }}
versionlistmonk < 5.0.2
  • Detect use of Sprig template injection expressions `{{ env }}` or `{{ expandenv }}` in campaign or template content submitted to Listmonk, which are the specific functions abused to exfiltrate host environment variables.
  • Monitor Listmonk campaign preview API endpoints for requests by non-super-admin users containing template expressions referencing `env` or `expandenv`, which indicate active exploitation attempts.
  • A public Metasploit auxiliary module (`auxiliary/gather/listmonk_env_disclosure`) exists for this CVE; correlate IDS/WAF logs for Metasploit default user-agent strings against Listmonk campaign/preview endpoints.
  • ·The vulnerability only poses a meaningful risk on multi-user Listmonk installations; single-user (super admin only) deployments are not practically impacted since the super admin already has full access.
  • ·The `env` and `expandenv` Sprig template functions are enabled by default in affected versions (4.0.0–5.0.1); no special configuration is required for exploitation — any user with campaign or template permissions is a potential threat actor.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.