Filtered by vendor Nadh
Subscriptions
Total
2 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-58430 | 2 Listmok Project, Nadh | 2 Listmonk, Listmonk | 2025-09-12 | N/A |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available. | ||||
| CVE-2025-49136 | 1 Nadh | 1 Listmonk | 2025-07-11 | 9.1 Critical |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue. | ||||
Page 1 of 1.