CVE-2025-49136
9.135.14%
Listmonk SSTI: When Helper Libraries Help You Get Hacked
Alon Barad
Software EngineerJan 6, 2026·5 min read·6 visits
WeaponizedCISA KEV Listed
Executive Summary (TL;DR)
Listmonk included the 'Sprig' template library without sanitization. This allowed any user with permission to create email templates to use the `{{ env }}` function. This function dumps the server's environment variables, handing over DB passwords, AWS keys, and config secrets to anyone who can preview an email. Fixed in v5.0.2.
A critical Server-Side Template Injection (SSTI) vulnerability in listmonk allows authenticated users to read host environment variables via the Sprig template library, exposing database credentials and cloud secrets.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HEPSS Probability
35.14%
Top 3% most exploited
4,500
Estimated exposed hosts via Shodan
Affected Systems
listmonk < 5.0.2Docker deployments of listmonkKubernetes deployments of listmonk
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
listmonk knadh | >= 4.0.0, < 5.0.2 | 5.0.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-1336 (Template Injection) |
| CVSS v3.1 | 9.1 (Critical) |
| Attack Vector | Network (Authenticated) |
| EPSS Score | 0.35141 (High) |
| Exploit Status | Weaponized (Metasploit) |
| Affected Component | Sprig Template Library Integration |
MITRE ATT&CK Mapping
CWE-1336
Server-Side Template Injection
Improper Neutralization of Special Elements Used in a Template Engine (SSTI)
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Discovered
2025-05-25
Patch Commit Merged
2025-06-08
CVE Published
2025-06-09
Metasploit Module Released
2025-10-09