CVE-2025-49136 — AI Deep Analysis Summary

🚨 **Essence**: listmonk < v5.0.2 allows template functions to capture environment variables. 📉 **Consequences**: Sensitive information leakage. Attackers can expose critical system data through malicious templates.

🛡️ **Root Cause**: CWE-1336 (Improper Restriction of Renderable Code Regions). The flaw lies in how template functions handle environment variable capture, allowing unintended data exposure.

👥 **Affected**: Users running **listmonk** versions **prior to 5.0.2**. Vendor: **knadh**. This applies to self-hosted, high-performance newsletter managers.

💀 **Attacker Capabilities**: With access, hackers can achieve **High Confidentiality**, **High Integrity**, and **High Availability** impact. They can read sensitive env vars and potentially modify system state.

🔓 **Exploitation Threshold**: **Medium**. Requires **Low Complexity** and **Network** access. However, it needs **Low Privileges** (authenticated user) and **User Interaction** (UI:R).

🚫 **Public Exploit**: **No**. The `pocs` field is empty. No public Proof-of-Concept or wild exploitation code is currently available in the provided data.

🔍 **Self-Check**: Check your listmonk version. If it is **< 5.0.2**, you are vulnerable. Scan for custom templates that might inject environment variable references.

✅ **Official Fix**: **Yes**. Patched in **v5.0.2**. See GitHub Advisory GHSA-jc7g-x28f-3v3h and release notes for the official resolution.

🛠️ **No Patch Workaround**: Restrict template editing permissions. Disable custom template injection if possible. Isolate the instance from sensitive environment variables.

🔥 **Urgency**: **HIGH**. CVSS Score is high (implied by C:H/I:H/A:H). Immediate upgrade to v5.0.2+ is recommended to prevent sensitive data leaks.