4 matches found
ai.djl.timeseries:timeseries (>=0.19.0 <=0.33.0), cc.akkaha:pea-dubbo_2.12 (>=0.1.5 <=0.7.0) +482 more potentially affected by CVE-2025-1686 +1 more via io.pebbletemplates:pebble (>=2.5.0 <=3.2.3)
io.pebbletemplates:pebble MAVEN version =2.5.0, =0.19.0, =0.1.5, =0.3.0, =0.1.0, =4.1.0, =16.5.0, =6.5.1, =6.0.0, =12.0.0-beta, =16.0.9 and more Source cves: CVE-2025-1686, CVE-2025-27137 Source advisory: OSV:GHSA-P75G-CXFJ-7WRX...
CVE-2025-27137
Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track allows users with the SYSTEMCONFIGURATION permission to customize notification templates. Templates are evaluated using the Pebble template engine...
CVE-2025-27137 Dependency-Track vulnerable to local file inclusion via custom notification templates
Dependency-Track is a component analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track allows users with the SYSTEMCONFIGURATION permission to customize notification templates. Templates are evaluated using the Pebble template engine...
CVE-2025-27137
Summary: CVE-2025-27137 affects Dependency-Track where templates are evaluated with Pebble and can be manipulated via the include tag. Prior to version 4.12.6, users with the SYSTEM_CONFIGURATION permission could exploit include to read arbitrary local files (e.g., /etc/passwd, /proc/1/environ) b...