Approved changes feed: RSS · Atom

cpe:2.3:a:n/a:io.pebbletemplates:pebble:*:*:*:*:*:*:*:*

part: a version: pebble update: *

VendorN/A (22f567d3-1203-528c-8f0e-3eb9c2f6ca78)
ProductIo.Pebbletemplates (4c49821e-38f7-58ce-b35e-865243965fb5)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-1686 vulnerable 2026-06-08 07:08:37.586254 Details available
MEDIUM (6.8)
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
Published: 2025-02-27T05:00:05.848Z
Updated: 2026-04-19T07:54:57.303Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.