{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T18:09:16.007Z", "dateUpdated": "2026-04-03T13:01:14.081Z"}, "containers": {"cna": {"title": "Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}, {"name": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b"}, {"name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"version": "< 9.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:09:16.007Z"}, "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "source": {"advisory": "GHSA-hgjq-p8cr-gg4h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:01:09.904637Z", "id": "CVE-2026-34730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:01:14.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:01:09.904637Z"}}}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:01:04.817Z"}}], "cna": {"title": "Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode", "source": {"advisory": "GHSA-hgjq-p8cr-gg4h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"status": "affected", "version": "< 9.14.1"}]}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "name": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "name": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:09:16.007Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34730", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:01:14.081Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:09:16.007Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:copier-org:copier:*:*:*:*:*:python:*:*", "matchCriteriaId": "08914294-5C57-49CB-8D05-BBB156C6B8B1", "versionEndExcluding": "9.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "id": "CVE-2026-34730", "lastModified": "2026-04-03T19:43:42.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.14.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copier", "source": "cna", "vendor": "copier-org"}, "product": "copier", "vendor": "copier-org"}], "analysis": {"en": {"generated_at": "2026-04-02T22:25:58.866309+00:00", "value": {"mitigation_remediation": ["Upgrade to Copier version 9.14.1 or later", "If upgrade is not possible, avoid using untrusted templates or disable the _external_data feature", "Verify the provenance and integrity of templates before use", "Limit the privileges of the user running Copier to reduce the attack surface"], "summary": {"action": "Patch Now", "impact": "Local file read \u2013 sensitive data disclosure via path traversal"}, "threat_synthesis": {"affected_systems": "The affected component is the Copier package, distributed under the copier\u2011org organization. The issue exists in all releases before version 9.14.1 of the library and its command\u2011line interface. Users who employ untrusted template sources or incorporate external templates into their project generation process are at risk. The official fix is included in release v9.14.1, which removes the ability for templates to load arbitrary local files without explicit unsafe mode.", "description_and_impact": "Copier, a library and CLI application for rendering project templates, contains a flaw in its _external_data feature that permits templates to specify paths for loading YAML files. Prior to version 9.14.1, this functionality fails to normalize or restrict the supplied path, enabling a malicious template to read any YAML\u2011parseable file that the executing user can access. The content of these files is exposed in the rendered output, potentially revealing confidential configuration or credential information. This vulnerability is classified as a path traversal leading to local file read (CWE\u201122).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA's KEV database. Exploitation requires a user to execute Copier with a template that has been crafted by an attacker or compromised repository. Since the read operation occurs under the privileges of the person running Copier, the impact is limited to files accessible to that user, but the exposure of configuration data can aid further attacks. The lack of a public exploit and the moderate score suggest a realistic but not imminent threat, yet patching remains the safest mitigation."}}}}, "created": "2026-04-03T07:32:01.251659+00:00", "updated": "2026-04-03T09:17:01.173729+00:00", "vendors": ["copier-org", "copier-org$PRODUCT$copier"]}