Symlink Vulnerability in Copier Library and CLI Application by Copier
CVE-2026-23968
6.8MEDIUM
What is CVE-2026-23968?
The Copier library and command-line interface (CLI) application have a vulnerability that permits the inclusion of arbitrary files and directories from outside the local template location. This flaw arises from the manipulation of symlinks in project templates alongside the default setting of _preserve_symlinks: false. Users may be misled into believing that they are using a safe template, unaware that unsafe features can still expose their environment to risks. The issue has been addressed in version 9.11.2, which includes a patch to ensure that generated projects do not unintentionally include unsafe references.
Affected Version(s)
copier < 9.11.2
