iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.