CVE-2026-33154

HIGH

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

Title source: cna

Description

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

Exploits (1)

nomisec WRITEUP
by redyank · poc
https://github.com/redyank/CVE-2026-33154

References (3)

Scores

CVSS v3 7.5
EPSS 0.0002
EPSS Percentile 5.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-1336 CWE-78 CWE-94
Status published
Products (2)
dynaconf/dynaconf < 3.2.13 (2 CPE variants)
pypi/dynaconf 0 - 3.2.13PyPI
Published Mar 20, 2026
Tracked Since Mar 21, 2026