{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49136", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-02T10:39:41.634Z", "datePublished": "2025-06-09T16:21:48.266Z", "dateUpdated": "2025-06-10T13:25:02.262Z"}, "containers": {"cna": {"title": "listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"}, {"name": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e"}, {"name": "https://github.com/knadh/listmonk/releases/tag/v5.0.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/releases/tag/v5.0.2"}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"version": ">= 4.0.0, < 5.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-09T16:21:48.266Z"}, "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue."}], "source": {"advisory": "GHSA-jc7g-x28f-3v3h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T13:24:43.793880Z", "id": "CVE-2025-49136", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T13:25:02.262Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49136", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-10T13:24:43.793880Z"}}}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T13:24:51.733Z"}}], "cna": {"title": "listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user", "source": {"advisory": "GHSA-jc7g-x28f-3v3h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"status": "affected", "version": ">= 4.0.0, < 5.0.2"}]}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h", "name": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e", "name": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/knadh/listmonk/releases/tag/v5.0.2", "name": "https://github.com/knadh/listmonk/releases/tag/v5.0.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-09T16:21:48.266Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49136", "state": "PUBLISHED", "dateUpdated": "2025-06-10T13:25:02.262Z", "dateReserved": "2025-06-02T10:39:41.634Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-09T16:21:48.266Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*", "matchCriteriaId": "0819712B-FBD6-4D10-875B-7DFAA1D602D1", "versionEndExcluding": "5.0.2", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue."}, {"lang": "es", "value": "Listmonk es un gestor de boletines y listas de correo independiente y autoalojado. A partir de la versi\u00f3n 4.0.0 y anteriores a la 5.0.2, las funciones de plantilla `env` y `expandenv`, habilitadas por defecto en Sprig, permiten la captura de variables de entorno en el host. Si bien esto puede no ser un problema en instalaciones de un solo usuario (superadministrador), en instalaciones multiusuario, permite a los usuarios sin superadministrador con permisos de campa\u00f1a o plantilla usar la expresi\u00f3n de plantilla `{{ env }}` para capturar variables de entorno sensibles. Los usuarios deben actualizar a la versi\u00f3n 5.0.2 para mitigar el problema."}], "id": "CVE-2025-49136", "lastModified": "2025-07-11T17:23:30.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-06-09T17:15:29.917", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/knadh/listmonk/releases/tag/v5.0.2"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{}