Description

Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1.

INFO

Published Date :

2026-04-02T18:07:35.517Z

Last Modified :

2026-04-02T18:07:35.517Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34726 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34726.

URL Resource
https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df cve-icon cve-icon
https://github.com/copier-org/copier/releases/tag/v9.14.1 cve-icon cve-icon
https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact