CVE-2025-27137

Name of the Vulnerable Software and Affected Versions Dependency-Track versions prior to 4.12.6

Description The issue allows users with the SYSTEM CONFIGURATION permission to abuse the include tag in notification templates, potentially leaking sensitive local files, such as /etc/passwd or /proc/1/environ, by including them in notification templates and sending notifications to a controlled destination.

Recommendations For versions prior to 4.12.6, avoid assigning the SYSTEM CONFIGURATION permission to untrusted users, as this permission is a security risk if granted to non-administrative users or teams. Update to version 4.12.6 or later, where the include tag can no longer be used and its usage will cause template evaluation to fail.