Skip to main content

Python CVE-2026-34726

MEDIUM
Path Traversal (CWE-22)
2026-04-01 https://github.com/copier-org/copier GHSA-85v3-4m8g-hrh6
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
CVE Published
Apr 01, 2026 - 22:28 nvd
MEDIUM 4.4

DescriptionGitHub Advisory

Summary

Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root.

As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE.

Details

The relevant code path is:

  1. the template defines _subdirectory
  2. Copier renders that string
  3. template_copy_root returns self.template.local_abspath / subdir
  4. Copier walks that directory as the template root

Relevant code:

  • <https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/copier/_main.py#L1056-L1062>
  • <https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/copier/_template.py#L504-L513>

The effective sink is:

python
subdir = self._render_string(self.template.subdirectory) or ""
return self.template.local_abspath / subdir

There is no check that the resulting path stays inside the template directory.

The documentation for _subdirectory describes it as:

> Subdirectory to use as the template root when generating a project.

and explains it as a way to separate template metadata from template source code:

<https://github.com/copier-org/copier/blob/7aa7021bd73797c982492bac3535515d4484fdb7/docs/configuring.md#L1582-L1646>

That description fits values like template or poetry, but not ...

PoC

PoC 1: _subdirectory: .. escapes to the parent directory
sh
mkdir -p root/template dst
echo 'loot' > root/loot.txt
printf '%s\n' '_subdirectory: ..' > root/template/copier.yml

copier copy --overwrite root/template dst
find dst -maxdepth 3 -type f | sort
cat dst/loot.txt

Expected output includes:

text
dst/loot.txt
dst/template/copier.yml
loot

This shows Copier is rendering from root/ rather than from root/template/.

Impact

If a user runs Copier on an untrusted template, that template can change the effective template root and make Copier render files from outside the intended template directory.

Practical impact:

  • template-root escape via ..
  • rendering of parent-directory files that were not meant to be part of the template
  • possible without --UNSAFE

AnalysisAI

Path traversal in Copier's _subdirectory setting allows template escape without --UNSAFE flag. A malicious or compromised template can use parent-directory traversal sequences (e.g., _subdirectory: ..) to render files from outside the intended template directory, enabling unauthorized file access during template instantiation. CVSS 4.4 (low-to-moderate severity); no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

Copier is a Python-based template generation tool that processes a _subdirectory configuration parameter to set the effective template root directory. The vulnerability exists in the rendering pipeline: the _subdirectory string is rendered as a Jinja2 template, then appended directly to self.template.local_abspath without path normalization or containment validation. The sink is in _template.py where return self.template.local_abspath / subdir concatenates user-controlled subdirectory input to the base template path using Python's pathlib division operator. No check confirms the resolved path remains within the intended template boundary. This is a classic path traversal (CWE-22) where relative path components like .. are accepted and processed, allowing escape to parent directories. The vulnerability affects pkg:pip/copier across versions that do not implement path containment checks.

RemediationAI

Upgrade Copier to the patched version specified in the GitHub Security Advisory (GHSA-85v3-4m8g-hrh6). The fix implements path containment validation to ensure _subdirectory values cannot escape the template root using parent-directory traversal; this likely involves path normalization and assertion that the resolved path is a descendant of the template base directory. Immediate workaround: only run Copier on templates from trusted sources and manually audit _subdirectory values in copier.yml before execution. Review https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6 for the exact patched release version and implementation details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34726 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy