Kailash Nadh

4 exploits Active since Jun 2025
CVE-2025-49136 WRITEUP CRITICAL WRITEUP
listmonk 4.0.0-5.0.1 - Unauthenticated Sensitive Environment Variable Exposure via Template Function
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue.
CVSS 9.0
CVE-2026-34584 WRITEUP MEDIUM WRITEUP
listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.
CVSS 5.4
CVE-2026-34828 WRITEUP HIGH WRITEUP
listmonk: Active sessions remain valid after password reset and password change
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
CVSS 7.1
CVE-2025-46011 WRITEUP MEDIUM WRITEUP
listmonk 2.4.0-4.1.0 - SQL Injection in QuerySubscribers Function
Listmonk v4.1.0 (fixed in v5.0.0) is vulnerable to SQL Injection in the QuerySubscribers function which allows attackers to escalate privileges.
CVSS 6.5