CVE-2026-23968

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23968

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23968.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23968

Aliases

GHSA-xjhm-gp88-8pfx

Published

2026-01-21T22:13:25.377Z

Modified

2026-01-28T05:53:05.824873Z

Severity

6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false

Details

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with _preserve_symlinks: false (which is Copier's default setting). Version 9.11.2 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-61"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23968.json"
}

References

Affected packages

Git / github.com/copier-org/copier

Affected ranges

Type: GIT
Repo: https://github.com/copier-org/copier
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b9ee2962b5e0a81b838261b630bd36d0c6c3fa87

Affected versions

1.*

1.1.1

3.*

3.0.0-alpha5

3.0.0-alpha6

v2.*

v2.2.3

v2.3

v2.3.1

v2.3.2

v2.3.3

v2.4.0

v2.4.1

v2.4.2

v2.5.0

v2.5.1

v3.*

v3.0.0

v3.0.0-alpha1

v3.0.0-alpha2

v3.0.0-alpha3

v3.0.0-alpha4

v3.0.0-alpha7

v3.0.0-alpha8

v3.0.0-beta1

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.1.0

v3.2.0

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.1.0

v5.*

v5.0.0

v5.1.0

v6.*

v6.0.0

v6.0.0a0

v6.0.0a1

v6.0.0a2

v6.0.0a3

v6.0.0a4

v6.0.0a5

v6.0.0a6

v6.0.0a7

v6.0.0a8

v6.0.0a9

v6.0.0b0

v6.1.0

v6.2.0

v7.*

v7.0.1

v7.1.0

v7.1.0a0

v7.2.0

v8.*

v8.0.0

v8.1.0

v8.2.0

v8.3.0

v9.*

v9.0.0

v9.0.1

v9.1.0

v9.1.1

v9.10.0

v9.10.1

v9.10.2

v9.10.3

v9.11.0

v9.11.1

v9.2.0

v9.3.0

v9.3.1

v9.4.0

v9.4.1

v9.5.0

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

v9.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23968.json"