Io.Pebbletemplates
Approved changes feed: RSS · Atom
cpe:2.3:a:n/a:io.pebbletemplates:pebble:*:*:*:*:*:*:*:*
part: a version: pebble update: *
| Vendor | N/A (22f567d3-1203-528c-8f0e-3eb9c2f6ca78) |
|---|---|
| Product | Io.Pebbletemplates (4c49821e-38f7-58ce-b35e-865243965fb5) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-1686 |
vulnerable | 2026-06-08 07:08:37.586254 |
Details available
MEDIUM (6.8)
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ.
Workaround
This vulnerability can be mitigated by disabling the include macro in Pebble Templates:
java
new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();
Published: 2025-02-27T05:00:05.848Z
Updated: 2026-04-19T07:54:57.303Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.