Command Injection Vulnerability in Copier Library by Copier
CVE-2026-53951
8.8HIGH
What is CVE-2026-53951?
The Copier library has a command injection vulnerability affecting versions 9.5.0 through 9.15.1. This flaw arises from an improper comparison of template URLs against a trusted prefix, enabling attackers to manipulate the template resolution process. Specifically, the trust setting's prefix match lacks appropriate path normalization, allowing untrusted templates to be executed under the guise of trusted ones. Attackers can exploit this oversight to run arbitrary commands without triggering the necessary trust prompts. Version 9.15.2 resolves this vulnerability, reinforcing security in the template rendering process.
Affected Version(s)
copier >= 9.5.0, < 9.15.2
