← Volver a CVEs

CVE-2026-34730

MEDIUM

5.5

Descripcion

Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.

Detalles CVE

Puntuacion CVSS v3.15.5

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vector de ataqueLOCAL

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioREQUIRED

Publicado4/2/2026

Ultima modificacion4/3/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

copier-org:copier

Debilidades (CWE)

CWE-22

Referencias

https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b(security-advisories@github.com)

https://github.com/copier-org/copier/releases/tag/v9.14.1(security-advisories@github.com)

https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h(security-advisories@github.com)

https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.