Improper Neutralization of Special Elements Used in a Template Engine in Nautobot - CVE-2025-49142
Published: May 11, 2026
Vulnerability identifier: #VU130967
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-49142
CWE-ID: CWE-1336
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Nautobot
Nautobot
Software vendor:
Nautobot
Nautobot
Description
The vulnerability allows a remote user to disclose secret values and modify data within Nautobot.
The vulnerability exists due to improper neutralization of special elements used in a template engine in the Jinja2 templating feature for computed fields, custom links, and related templated content when rendering user-configured templates. A remote user can configure crafted templated content to disclose secret values and modify data within Nautobot.
Data modification can bypass the object permissions assigned to the viewing user.
Remediation
Install security update from vendor's website.