{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34726", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.753Z", "datePublished": "2026-04-02T18:07:35.517Z", "dateUpdated": "2026-04-03T16:16:03.275Z"}, "containers": {"cna": {"title": "Copier `_subdirectory` allows template root escape via parent-directory traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}, {"name": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df"}, {"name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"version": "< 9.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:07:35.517Z"}, "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "source": {"advisory": "GHSA-85v3-4m8g-hrh6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:15:43.192383Z", "id": "CVE-2026-34726", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:16:03.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34726", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:15:43.192383Z"}}}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:15:54.655Z"}}], "cna": {"title": "Copier `_subdirectory` allows template root escape via parent-directory traversal", "source": {"advisory": "GHSA-85v3-4m8g-hrh6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"status": "affected", "version": "< 9.14.1"}]}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "name": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "name": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:07:35.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34726", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:16:03.275Z", "dateReserved": "2026-03-30T18:41:20.753Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:07:35.517Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:copier-org:copier:*:*:*:*:*:python:*:*", "matchCriteriaId": "08914294-5C57-49CB-8D05-BBB156C6B8B1", "versionEndExcluding": "9.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "id": "CVE-2026-34726", "lastModified": "2026-04-03T19:40:49.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.14.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copier", "source": "cna", "vendor": "copier-org"}, "product": "copier", "vendor": "copier-org"}], "analysis": {"en": {"generated_at": "2026-04-02T22:52:19.981600+00:00", "value": {"mitigation_remediation": ["Upgrade Copier to version 9.14.1 or newer"], "summary": {"action": "Patch", "impact": "Unauthorized file access via template root escape"}, "threat_synthesis": {"affected_systems": "Any installation of the open\u2011source Copier tool built before version 9.14.1 is affected. The issue exists in both the library and command\u2011line interface across all operating systems where the tool runs. The problem is addressed in releases 9.14.1 and later, which enforce proper handling of _subdirectory values.", "description_and_impact": "The vulnerability arises when Copier\u2019s _subdirectory setting, intended to define the template's root, accepts parent-directory traversal sequences such as \"..\". This causes the tool to resolve outside the intended template directory, allowing it to render files from a parent location without requiring an --UNSAFE flag. The result is the ability to read arbitrary files that the template was not meant to access, constituting a classic path traversal weakness (CWE\u201122). The CVSS score of 4.4 indicates a moderate severity impact.", "risk_and_exploitability": "The CVSS metric places the risk in the medium range; no EPSS score is supplied, and the vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list. Exploitation requires an attacker to supply a template configuration containing a malicious _subdirectory value, which is possible when a user retrieves a template from an untrusted source or the template itself embeds the vulnerable setting. Because the attack occurs locally on the system running Copier, the impact is confined to that environment, but the ability to read arbitrary files can be critical, especially if the file contains sensitive data."}}}}, "created": "2026-04-03T07:32:02.255975+00:00", "updated": "2026-04-03T09:17:02.115612+00:00", "vendors": ["copier-org", "copier-org$PRODUCT$copier"]}