{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33154", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.886Z", "datePublished": "2026-03-20T20:22:59.090Z", "dateUpdated": "2026-03-27T15:23:09.972Z"}, "containers": {"cna": {"title": "dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"}, {"name": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7", "tags": ["x_refsource_MISC"], "url": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"}, {"name": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"}], "affected": [{"vendor": "dynaconf", "product": "dynaconf", "versions": [{"version": "< 3.2.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:22:59.090Z"}, "descriptions": [{"lang": "en", "value": "dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13."}], "source": {"advisory": "GHSA-pxrr-hq57-q35p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T15:23:07.114538Z", "id": "CVE-2026-33154", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:23:09.972Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33154", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.886Z", "datePublished": "2026-03-20T20:22:59.090Z", "dateUpdated": "2026-03-27T15:23:09.972Z"}, "containers": {"cna": {"title": "dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"}, {"name": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7", "tags": ["x_refsource_MISC"], "url": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"}, {"name": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"}], "affected": [{"vendor": "dynaconf", "product": "dynaconf", "versions": [{"version": "< 3.2.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:22:59.090Z"}, "descriptions": [{"lang": "en", "value": "dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13."}], "source": {"advisory": "GHSA-pxrr-hq57-q35p", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33154", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T15:23:07.114538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:39:27.332Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dynaconf:dynaconf:*:*:*:*:*:*:*:*", "matchCriteriaId": "33420500-478D-4250-B4F3-04E25B99BC2F", "versionEndExcluding": "3.2.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13."}, {"lang": "es", "value": "dynaconf es una herramienta de gesti\u00f3n de configuraci\u00f3n para Python. Antes de la versi\u00f3n 3.2.13, Dynaconf es vulnerable a la Inyecci\u00f3n de Plantilla del Lado del Servidor (SSTI) debido a la evaluaci\u00f3n insegura de plantillas en el resolvedor @Jinja. Cuando el paquete jinja2 est\u00e1 instalado, Dynaconf eval\u00faa expresiones de plantilla incrustadas en valores de configuraci\u00f3n sin un entorno aislado. Este problema ha sido parcheado en la versi\u00f3n 3.2.13."}], "id": "CVE-2026-33154", "lastModified": "2026-04-14T18:23:14.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T21:17:15.740", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "dynaconf: jinja2: Dynaconf: Arbitrary code execution via Server-Side Template Injection", "id": "2449774", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449774"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["A flaw was found in dynaconf, a Python configuration management tool. This Server-Side Template Injection (SSTI) vulnerability occurs due to unsafe template evaluation in the @Jinja resolver when the jinja2 package is installed. A remote attacker could exploit this by embedding malicious template expressions in configuration values, which are then processed without a sandboxed environment. This could lead to arbitrary code execution on the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33154", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-dashboard-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-tech-preview/automation-dashboard-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-03-20T20:22:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33154\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33154\nhttps://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7\nhttps://github.com/dynaconf/dynaconf/releases/tag/3.2.13\nhttps://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "dynaconf", "source": "cna", "vendor": "dynaconf"}, "product": "dynaconf", "vendor": "dynaconf"}], "analysis": {"en": {"generated_at": "2026-04-14T21:09:36.147938+00:00", "value": {"mitigation_remediation": ["Upgrade dynaconf to version 3.2.13 or later.", "If upgrading is not possible, disable the @Jinja resolver or remove unsafe template expressions from configuration.", "Ensure that the jinja2 package is not installed unless required by your application."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the dynaconf configuration tool for Python. Versions earlier than 3.2.13 are vulnerable, as documented by the vendor. Any deployment that relies on dynaconf before the 3.2.13 release, and has the jinja2 dependency installed, is susceptible to this remote code execution flaw.", "description_and_impact": "SSTI arises from dynaconf's @Jinja resolver evaluating template expressions in configuration values without a sandbox, enabling an attacker to inject Python expressions that are executed on the server. When the jinja2 package is present, the evaluator can run arbitrary code, allowing the attacker to read, modify, or delete data, or exfiltrate sensitive information. The vulnerability can be triggered by malicious configuration entries, making it a high\u2011safety risk for any deployment exposing configuration files to untrusted input.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity level, while the EPSS score of less than 1% suggests that exploitation is currently unlikely on a broad scale. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no public exploits have been reported. An attacker can exploit the vulnerability by injecting malicious template syntax into configuration files or environments where dynaconf processes non\u2011trusted data. The analysis indicates that the most probable attack vector is through file\u2011based configuration injection, given that dynaconf evaluates templates in those contexts."}}}}, "created": "2026-03-23T09:52:42.940874+00:00", "updated": "2026-04-15T16:45:09.813669+00:00", "vendors": ["dynaconf", "dynaconf$PRODUCT$dynaconf"]}