How severe is CVE-2025-1686?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2025-1686?

This is classified as CWE-73, which is a common weakness in software security.

CVE-2025-1686

MEDIUM Year: 2025

CVSS v3 Score

4.9

Medium

Weakness Type

CWE-73

View all →

Vulnerability Description

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

CVE-2020-26078

MEDIUM

CVSS:4.9(Medium)

A vulnerability in the file system of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to overwrite files on an affected system. The vulnerability is due to insuffi...

CWE-732020

CVE-2020-5296

MEDIUM

CVSS:4.9(Medium)

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vuln...

CWE-732020

CVE-2021-24966

MEDIUM

CVSS:4.9(Medium)

The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outsi...

CWE-732021

CVE-2022-0246

MEDIUM

CVSS:4.9(Medium)

The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by up...

CWE-732022

CVE-2023-5816

MEDIUM

CVSS:4.9(Medium)

The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing...

CWE-732023

CVE-2024-12875

MEDIUM

CVSS:4.9(Medium)

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.2 via the file download ...

CWE-732024

CVE-2025-1686

Vulnerability Description

Related Vulnerabilities

CVE-2020-26078

CVE-2020-5296

CVE-2021-24966

CVE-2022-0246

CVE-2023-5816

CVE-2024-12875