cvedb.io
CVE-2026-34730
MEDIUM · CVSS 5.5
EPSS exploitation probability: 0%
Published 2026-04-02T19:21:32.560 · Last modified 2026-06-17T10:39:31.487

Summary

Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.

Affected products

copier-org — copier

Does this affect you?

Add your gear to cvedb and we'll alert you only when copier-org ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.