CVE-2026-33154

HIGH

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33154. PoCs published by redyank.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-33154, a Server-Side Template Injection (SSTI) vulnerability in Dynaconf. It explains the root cause, attack vectors, and includes a proof-of-concept demonstrating arbitrary command execution via unsafe Jinja2 template evaluation.

Description

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

Exploits (1)

nomisec WRITEUP

by redyank · poc

https://github.com/redyank/CVE-2026-33154

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-33154, a Server-Side Template Injection (SSTI) vulnerability in Dynaconf. It explains the root cause, attack vectors, and includes a proof-of-concept demonstrating arbitrary command execution via unsafe Jinja2 template evaluation.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Dynaconf (versions prior to 3.2.13)

No auth needed

Prerequisites: Jinja2 package installed · Attacker control over configuration sources (e.g., environment variables, .env files)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p

X_Refsource_Misc x_refsource_misc

https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/dynaconf/dynaconf/releases/tag/3.2.13

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1336 CWE-78 CWE-94

Status published

Products (2)

dynaconf/dynaconf < 3.2.13 (2 CPE variants)

pypi/dynaconf 0 - 3.2.13PyPI

Published Mar 20, 2026

Tracked Since Mar 21, 2026