5.5
CVE-2026-34730
- EPSS 0.29%
- Veröffentlicht 02.04.2026 18:09:16
- Zuletzt bearbeitet 03.04.2026 19:43:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Copier-org ≫ Copier SwPlatformpython Version < 9.14.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.202 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/copier-org/copier/releases/tag/v9.14.1
https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h
https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b