CVE-2025-49136 is a critical vulnerability affecting the listmonk software, a standalone, self-hosted newsletter and mailing list manager. The vulnerability arises from improper neutralization of special elements used in the template engine, specifically involving the 'env' and 'expandenv' template functions provided by the Sprig template library. These functions, enabled by default in listmonk versions from 4.0.0 up to but not including 5.0.2, allow template expressions to access environment variables on the host system. While this behavior may be acceptable in single-user deployments where the user is a super administrator, it becomes a significant security risk in multi-user environments. In such setups, non-super-admin users who have permissions to create or modify campaigns or templates can exploit the '{{ env }}' template expression to extract sensitive environment variables. This can lead to unauthorized disclosure of secrets such as API keys, database credentials, or other configuration data stored in environment variables. The vulnerability is classified under CWE-1336, which relates to improper neutralization of special elements in template engines, enabling injection or information disclosure attacks. The CVSS v3.1 score is 9.1 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and the requirement of only low privileges and user interaction. No known exploits have been reported in the wild yet. The recommended mitigation is to upgrade listmonk to version 5.0.2 or later, where this issue has been addressed by disabling or properly securing the 'env' and 'expandenv' functions. Until the upgrade, administrators should restrict template and campaign editing permissions to trusted users only and consider isolating the deployment environment to minimize exposure of sensitive environment variables.

For European organizations using listmonk in multi-user configurations, this vulnerability poses a severe risk. Attackers with limited privileges can extract sensitive environment variables, potentially exposing credentials for databases, cloud services, or internal APIs. This can lead to further compromise of internal systems, data breaches involving personal or customer data, and disruption of email campaigns. Given the criticality of the CVSS score and the potential for privilege escalation or lateral movement, the impact on confidentiality, integrity, and availability is substantial. Organizations subject to GDPR and other data protection regulations face increased compliance risks and potential fines if sensitive personal data is exposed due to exploitation of this vulnerability. Additionally, the disruption of communication channels via compromised mailing lists can affect business operations and reputation. The multi-user nature of many European enterprises’ deployments makes this vulnerability particularly relevant, especially in sectors like finance, healthcare, and government where secure communications are paramount.

1. Immediate upgrade to listmonk version 5.0.2 or later, where the vulnerability is fixed. 2. Until upgrade is possible, restrict campaign and template editing permissions strictly to super-admin or highly trusted users to prevent exploitation by lower-privileged users. 3. Review and minimize environment variables exposed to the listmonk process, removing any unnecessary sensitive data. 4. Implement network segmentation and access controls to isolate listmonk servers from critical infrastructure and sensitive data stores. 5. Monitor logs and template changes for suspicious use of '{{ env }}' or similar expressions indicative of exploitation attempts. 6. Conduct internal audits of user roles and permissions regularly to ensure least privilege principles are enforced. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block malicious template expressions if feasible. 8. Educate administrators and developers about secure template usage and the risks of exposing environment variables in multi-user environments.