Command Injection Vulnerability in Copier Library by Copier
CVE-2026-53951

8.8HIGH

Key Information:

Vendor

Copier-org

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-53951?

The Copier library has a command injection vulnerability affecting versions 9.5.0 through 9.15.1. This flaw arises from an improper comparison of template URLs against a trusted prefix, enabling attackers to manipulate the template resolution process. Specifically, the trust setting's prefix match lacks appropriate path normalization, allowing untrusted templates to be executed under the guise of trusted ones. Attackers can exploit this oversight to run arbitrary commands without triggering the necessary trust prompts. Version 9.15.2 resolves this vulnerability, reinforcing security in the template rendering process.

Affected Version(s)

copier >= 9.5.0, < 9.15.2

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.