CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2025-1686

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 21.6%

CVSS Severity

CVSS v3 Score 6.8

References

https://github.com/PebbleTemplates/pebble/issues/680
https://github.com/PebbleTemplates/pebble/issues/688
https://pebbletemplates.io/wiki/tag/include
https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594
https://security.snyk.io/vuln/SNYK-JAVA-IOPEBBLETEMPLATES-8745594

Products affected by CVE-2025-1686

Pebbletemplates » Pebble » Version: Any

cpe:2.3:a:pebbletemplates:pebble:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-1686

Products

Pricing

Contact Us