CVE-2026-23986
- Source
- https://cve.org/CVERecord?id=CVE-2026-23986
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23986.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23986
- Aliases
- Published
- 2026-01-21T22:20:37.720Z
- Modified
- 2026-03-01T02:23:16.993994Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
- Details
-
Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the
--UNSAFE,--trustflag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with_preserve_symlinks: trueand a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23986.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-61" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23986.json
- https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6
- https://github.com/copier-org/copier/releases/tag/v9.11.2
- https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh
- https://nvd.nist.gov/vuln/detail/CVE-2026-23986
Affected packages
Git / github.com/copier-org/copier
Affected ranges
- Type
- GIT
- Repo
- https://github.com/copier-org/copier
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.1.1
3.*
3.0.0-alpha5
3.0.0-alpha6
v2.*
v2.2.3
v2.3
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.5.1
v3.*
v3.0.0
v3.0.0-alpha1
v3.0.0-alpha2
v3.0.0-alpha3
v3.0.0-alpha4
v3.0.0-alpha7
v3.0.0-alpha8
v3.0.0-beta1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.1.0
v3.2.0
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.1.0
v5.*
v5.0.0
v5.1.0
v6.*
v6.0.0
v6.0.0a0
v6.0.0a1
v6.0.0a2
v6.0.0a3
v6.0.0a4
v6.0.0a5
v6.0.0a6
v6.0.0a7
v6.0.0a8
v6.0.0a9
v6.0.0b0
v6.1.0
v6.2.0
v7.*
v7.0.1
v7.1.0
v7.1.0a0
v7.2.0
v8.*
v8.0.0
v8.1.0
v8.2.0
v8.3.0
v9.*
v9.0.0
v9.0.1
v9.1.0
v9.1.1
v9.10.0
v9.10.1
v9.10.2
v9.10.3
v9.11.0
v9.11.1
v9.2.0
v9.3.0
v9.3.1
v9.4.0
v9.4.1
v9.5.0
v9.6.0
v9.7.0
v9.7.1
v9.8.0
v9.9.0
v9.9.1