Directory Traversal Vulnerability in Copier Library by Copier Org
CVE-2026-34726

4.4MEDIUM

Key Information:

Vendor

Copier-org

Status
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34726?

The Copier library, a tool for rendering project templates, has a directory traversal flaw in its _subdirectory setting before version 9.14.1. This vulnerability allows attackers to manipulate the template root by using parent directory traversal sequences, such as '..', to escape the designated template directory. Consequently, this can expose sensitive files from the parent directory during rendering operations, even without using the --UNSAFE flag. Users are strongly encouraged to update to version 9.14.1 or later, where this issue has been resolved.

Affected Version(s)

copier < 9.14.1

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.