CVE-2026-34730

MEDIUM

Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode

Title source: cna

Description

Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.

References (3)

Scores

CVSS v3 5.5
EPSS 0.0001
EPSS Percentile 0.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
copier-org/copier < 9.14.1 (2 CPE variants)
pypi/copier 0 - 9.14.1PyPI
Published Apr 02, 2026
Tracked Since Apr 03, 2026