PYSEC-2026-2135

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/copier/PYSEC-2026-2135.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2135
Aliases
Published
2026-04-02T19:21:32.560Z
Modified
2026-07-13T07:15:22.045371539Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's externaldata feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.

References

Affected packages

PyPI / copier

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.14.1

Affected versions

2.*
2.0.0
2.0.1
2.1.0
2.2.1
2.2.2
2.2.3
2.3
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
3.*
3.0.0a3
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0a8
3.0.0b1
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.2.0
4.*
4.0.0
4.0.1
4.0.2
4.1.0
5.*
5.0.0
5.1.0
6.*
6.0.0a0
6.0.0a2
6.0.0a3
6.0.0a4
6.0.0a5
6.0.0a6
6.0.0a7
6.0.0a9
6.0.0b0
6.0.0
6.1.0
6.2.0
7.*
7.0.1
7.1.0a0
7.1.0
7.2.0
8.*
8.0.0
8.1.0
8.2.0
8.3.0
9.*
9.0.1
9.1.0
9.1.1
9.2.0
9.3.0
9.3.1
9.4.0
9.4.1
9.5.0
9.6.0
9.7.0
9.7.1
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.10.3
9.11.0
9.11.1
9.11.2
9.11.3
9.12.0
9.13.0
9.13.1
9.14.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/copier/PYSEC-2026-2135.yaml"