CVE-2025-49136
published 2025-06-09CVE-2025-49136: listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv`…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
0.91%
55.4th percentile
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | knadh_listmonk | >= 4.0.0 < 5.0.2 | 5.0.2 |
| knadh | listmonk | — | — |
| nadh | listmonk | >= 4.0.0 < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of Sprig template injection expressions `{{ env }}` or `{{ expandenv }}` in campaign or template content submitted to Listmonk, which are the specific functions abused to exfiltrate host environment variables. ↗
- →Monitor Listmonk campaign preview API endpoints for requests by non-super-admin users containing template expressions referencing `env` or `expandenv`, which indicate active exploitation attempts. ↗
- →A public Metasploit auxiliary module (`auxiliary/gather/listmonk_env_disclosure`) exists for this CVE; correlate IDS/WAF logs for Metasploit default user-agent strings against Listmonk campaign/preview endpoints. ↗
- ·The vulnerability only poses a meaningful risk on multi-user Listmonk installations; single-user (super admin only) deployments are not practically impacted since the super admin already has full access. ↗
- ·The `env` and `expandenv` Sprig template functions are enabled by default in affected versions (4.0.0–5.0.1); no special configuration is required for exploitation — any user with campaign or template permissions is a potential threat actor. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk
osv·2025-06-10
CVE-2025-49136 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/knadh/listmonk from v4.0.0 before v5.0.2.
GHSA
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
ghsa·2025-06-09
CVE-2025-49136 [CRITICAL] CWE-1336 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
### Summary
The `env` and `expandenv` template functions which is enabled by default in [Sprig](https://masterminds.github.io/sprig/) enables capturing of env variables on the host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables.
**Upgrade to [v5.0.2](https://github.com/knadh/listmonk/releases/tag/v5.0.2)** to mitigate.
# Demonstration
### Description
A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows aut
OSV
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
osv·2025-06-09
CVE-2025-49136 [CRITICAL] listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
### Summary
The `env` and `expandenv` template functions which is enabled by default in [Sprig](https://masterminds.github.io/sprig/) enables capturing of env variables on the host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables.
**Upgrade to [v5.0.2](https://github.com/knadh/listmonk/releases/tag/v5.0.2)** to mitigate.
# Demonstration
### Description
A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows aut
No detection rules found.
2025-06-09
Published