CVE-2025-49136

Опубликовано: 09 июн. 2025

Источник: nvd

CVSS3: 9

CVSS3: 6.5

EPSS Средний

Описание

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.

Ссылки

https://github.com/knadh/listmonk/commit/d27d2c32cf3af2d0b24e29ea5a686ba149b49b3e
Patch
https://github.com/knadh/listmonk/releases/tag/v5.0.2
Release Notes
https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h
Exploit
Vendor Advisory
https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 5.0.2 (исключая)

EPSS

Процентиль: 97%

0.35141

Средний

9 Critical

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-1336

NVD-CWE-noinfo

Связанные уязвимости

GHSA-jc7g-x28f-3v3h

CVSS3: 9

github

8 месяцев назад

listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user

EPSS

Процентиль: 97%

0.35141

Средний

9 Critical

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-1336

NVD-CWE-noinfo