Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1686

CVSS 6.8 · Medium EPSS 0.25% · P48
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-1686

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
文件名或路径的外部可控制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Pebble 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Pebble是PebbleTemplates开源的一款Java模板引擎。 Pebble存在安全漏洞,该漏洞源于容易通过include标记受到文件名或路径的外部控制,高权限攻击者可以通过制作恶意通知模板来访问敏感的本地文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-io.pebbletemplates:pebble 0 ~ 4.1.0 -

II. Public POCs for CVE-2025-1686

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-1686

登录查看更多情报信息。

Same Patch Batch · n/a · 2025-02-27 · 42 CVEs total

CVE-2025-17414.7 MEDIUMb1gMail Admin Page users.php deserialization
CVE-2024-41340DrayTek Vigor 165 代码问题漏洞
CVE-2024-41338DrayTek Vigor 165 代码问题漏洞
CVE-2024-41334DrayTek Vigor 165 代码注入漏洞
CVE-2024-51138DrayTek Vigor 165 安全漏洞
CVE-2024-51139DrayTek Vigor 165 安全漏洞
CVE-2024-38290Extreme Networks Extreme ExtremeCloud IQ Site Engine 信息泄露漏洞
CVE-2024-38291Extreme Networks Extreme ExtremeCloud IQ Site Engine 安全漏洞
CVE-2024-38292Extreme Networks Extreme ExtremeCloud IQ Site Engine 路径遍历漏洞
CVE-2025-26264Geovision GV-ASWeb 代码注入漏洞
CVE-2025-26325ShopXO 代码问题漏洞
CVE-2025-25570Vben-Admin 安全漏洞
CVE-2025-25730Motorola Mobility Droid Razr HD (Model XT926) System 访问控制错误漏洞
CVE-2024-36046Infoblox NIOS 安全漏洞
CVE-2024-36047Infoblox NIOS 输入验证错误漏洞
CVE-2024-37567Infoblox NIOS 访问控制错误漏洞
CVE-2024-37566Infoblox NIOS 访问控制错误漏洞
CVE-2025-25477sysPass 注入漏洞
CVE-2025-25729Bosscomm IF740 信息泄露漏洞
CVE-2025-25727Bosscomm IF740 安全漏洞

Showing top 20 of 42 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same vendor: n/a
Same weakness: CWE-73

V. Comments for CVE-2025-1686

No comments yet

Leave a comment