{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.754Z", "datePublished": "2026-04-02T18:09:16.007Z", "dateUpdated": "2026-04-03T13:01:14.081Z"}, "containers": {"cna": {"title": "Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}, {"name": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b"}, {"name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"version": "< 9.14.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:09:16.007Z"}, "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "source": {"advisory": "GHSA-hgjq-p8cr-gg4h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:01:09.904637Z", "id": "CVE-2026-34730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:01:14.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:01:09.904637Z"}}}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:01:04.817Z"}}], "cna": {"title": "Copier `_external_data` allows path traversal and absolute-path local file read without unsafe mode", "source": {"advisory": "GHSA-hgjq-p8cr-gg4h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "copier-org", "product": "copier", "versions": [{"status": "affected", "version": "< 9.14.1"}]}], "references": [{"url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "name": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "name": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "name": "https://github.com/copier-org/copier/releases/tag/v9.14.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:09:16.007Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34730", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:01:14.081Z", "dateReserved": "2026-03-30T18:41:20.754Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:09:16.007Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:copier-org:copier:*:*:*:*:*:python:*:*", "matchCriteriaId": "08914294-5C57-49CB-8D05-BBB156C6B8B1", "versionEndExcluding": "9.14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1."}], "id": "CVE-2026-34730", "lastModified": "2026-04-03T19:43:42.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:32.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.14.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "copier", "source": "cna", "vendor": "copier-org"}, "product": "copier", "vendor": "copier-org"}], "analysis": {"en": {"generated_at": "2026-04-03T22:27:25.280958+00:00", "value": {"mitigation_remediation": ["Upgrade to copier version 9.14.1 or later.", "Validate that all templates originate from trusted and verified sources before loading them."], "summary": {"action": "Patch", "impact": "Path Traversal Local File Read"}, "threat_synthesis": {"affected_systems": "All releases of the Copier library and command\u2011line interface prior to version 9.14.1 are affected. The security advisory identifies that the issue has been fixed in version 9.14.1, so any installation using an older release is vulnerable.", "description_and_impact": "Copier is a library and CLI used to render project templates. Prior to version 9.14.1 its _external_data feature allowed a template to load YAML files using paths under the template\u2019s control. As a result, an attacker could supply a malicious template that references an arbitrary file on the local filesystem, causing the file\u2019s contents to be read, parsed as YAML, and exposed in the rendered output. This vulnerability enables information disclosure by reading any file accessible to the user running Copier and is classed under CWE\u201122.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate impact, while the EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to supply or otherwise place a malicious template in a location where the user will load it. Therefore, the attack vector is likely local or via insider or compromised repository access rather than remote exploitation."}}}}, "created": "2026-04-03T07:32:01.251659+00:00", "updated": "2026-04-07T07:55:43.048224+00:00", "vendors": ["copier-org", "copier-org$PRODUCT$copier"]}