Is Copier affected by CVE-2026-23968?

Organizations using Copier should be aware of moderate risk from CVE-2026-23968 rated CVSS 5.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available. A patch is available and should be applied during regular vulnerability management.

CVE-2026-23968

MEDIUM

2026-01-21 [email protected]

GHSA-xjhm-gp88-8pfx

5.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 02, 2026 - 14:11 vuln.today

Public exploit code

Patch Released

Feb 02, 2026 - 14:11 nvd

Patch available

CVE Published

Jan 21, 2026 - 23:15 nvd

MEDIUM 5.5

Description

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue.

Analysis

Copier versions before 9.11.2 allow local attackers to read arbitrary files outside the template directory by exploiting symlink handling when the default `_preserve_symlinks: false` setting is enabled, bypassing the library's safety guarantees for templates that don't require the unsafe flag. An attacker with local access can leverage this to access sensitive files through a malicious or compromised template. …

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +28

POC: +20

CVE-2026-23968 vulnerability details – vuln.today

Back

CVE-2026-23968

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-23968

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code