CVE-2026-34730
MEDIUMCopier `_external_data` allows path traversal and absolute-path local file read without unsafe mode
Title source: cnaDescription
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h
X_Refsource_Misc x_refsource_misc
https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b
X_Refsource_Misc x_refsource_misc
https://github.com/copier-org/copier/releases/tag/v9.14.1
Scores
CVSS v3
5.5
EPSS
0.0029
EPSS Percentile
20.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
copier-org/copier
< 9.14.1 (2 CPE variants)
pypi/copier
0 - 9.14.1PyPI
Published
Apr 02, 2026
Tracked Since
Apr 03, 2026