Skip to main content

Pydantic Settings

1 CVEs product

Monthly

CVE-2026-58203 PyPI MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Symlink traversal in pydantic-settings 2.12.0-2.14.1 allows a local low-privileged attacker with write access to the configured secrets directory to read arbitrary files from the host filesystem into application settings when secrets_nested_subdir=True. The same code path also bypasses the secrets_dir_max_size loading cap, undermining an advertised safety control. No public exploit or CISA KEV listing exists; the vendor-released fix is version 2.14.2.

Path Traversal Pydantic Settings
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy