Vulnerability Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Copier-Org | Copier | < 9.14.1 |
Related Weaknesses (CWE)
References
- https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69efPatch
- https://github.com/copier-org/copier/releases/tag/v9.14.1Release Notes
- https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4hExploitVendor Advisory
- https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4hExploitVendor Advisory
FAQ
What is CVE-2026-34730?
CVE-2026-34730 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untru...
How severe is CVE-2026-34730?
CVE-2026-34730 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34730?
Check the references section above for vendor advisories and patch information. Affected products include: Copier-Org Copier.