Improper Neutralization of Special Elements Used in a Template Engine in Nautobot - CVE-2025-49142

 

Improper Neutralization of Special Elements Used in a Template Engine in Nautobot - CVE-2025-49142

Published: May 11, 2026


Vulnerability identifier: #VU130967
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-49142
CWE-ID: CWE-1336
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Nautobot
Affected software:
Nautobot

Detailed vulnerability description

The vulnerability allows a remote user to disclose secret values and modify data within Nautobot.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the Jinja2 templating feature for computed fields, custom links, and related templated content when rendering user-configured templates. A remote user can configure crafted templated content to disclose secret values and modify data within Nautobot.

Data modification can bypass the object permissions assigned to the viewing user.


How to mitigate CVE-2025-49142

Install security update from vendor's website.

Sources