{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34726", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.753Z", "datePublished": "2026-04-02T18:07:35.517Z", "dateUpdated": "2026-04-03T16:16:03.275Z"}, "containers": {"cna": {"title": "Copier `_subdirectory` allows template root escape via parent-directory traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}, {"name": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df"}, {"name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"version": "< 9.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:07:35.517Z"}, "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "source": {"advisory": "GHSA-85v3-4m8g-hrh6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:15:43.192383Z", "id": "CVE-2026-34726", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:16:03.275Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34726", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:15:43.192383Z"}}}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:15:54.655Z"}}], "cna": {"title": "Copier `_subdirectory` allows template root escape via parent-directory traversal", "source": {"advisory": "GHSA-85v3-4m8g-hrh6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"status": "affected", "version": "< 9.14.1"}]}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "name": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "name": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:07:35.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34726", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:16:03.275Z", "dateReserved": "2026-03-30T18:41:20.753Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:07:35.517Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:copier-org:copier:*:*:*:*:*:python:*:*", "matchCriteriaId": "08914294-5C57-49CB-8D05-BBB156C6B8B1", "versionEndExcluding": "9.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1."}], "id": "CVE-2026-34726", "lastModified": "2026-04-03T19:40:49.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.14.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copier", "source": "cna", "vendor": "copier-org"}, "product": "copier", "vendor": "copier-org"}], "analysis": {"en": {"generated_at": "2026-04-03T22:27:33.578667+00:00", "value": {"mitigation_remediation": ["Upgrade to Copier v9.14.1 or later to apply the official fix", "If upgrading is not immediately possible, audit supplied templates for parent-directory references in the _subdirectory setting and remove or neutralize them", "Restrict template sources to trusted repositories to reduce the likelihood of malicious templates being processed", "Monitor file rendering operations for unexpected or unauthorized file inclusion"], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via template root escape"}, "threat_synthesis": {"affected_systems": "The issue affects the Copier package produced by copier-org, used as a library and command\u2011line tool for rendering project templates. All releases prior to version 9.14.1 are vulnerable. The fix was introduced in release 9.14.1; users should upgrade to that version or later to mitigate the risk. This vulnerability is relevant to environments that rely on Copier to process templates supplied by external sources.", "description_and_impact": "The vulnerability lies in Copier's handling of the _subdirectory setting, which is intended to specify the template root. The implementation accepts parent-directory traversal patterns such as '..' and uses them directly when selecting the template root. This allows a template to escape its own directory and cause Copier to render files from the parent directory without requiring the --UNSAFE flag. As a result, an attacker can access and copy arbitrary files from the parent directory into the rendered project, potentially exposing sensitive data. The weakness corresponds to CWE-22, a directory traversal vulnerability.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium level of severity, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread. The vulnerability is not listed in CISA's KEV catalog. An attacker would need to supply a malicious template that includes a parent-directory term in the _subdirectory field; no special privileges are required, so local or supply\u2011chain attacks are plausible. Since the vulnerability is a directory traversal bug, it can be mitigated by updating the tool before any exploitation occurs."}}}}, "created": "2026-04-03T07:32:02.255975+00:00", "updated": "2026-04-07T07:55:44.071404+00:00", "vendors": ["copier-org", "copier-org$PRODUCT$copier"]}