CVE-2026-34730

Name of the Vulnerable Software and Affected Versions Copier versions prior to 9.14.1

Description The external data feature in Copier allows templates to load YAML files using paths controlled by the template. This can allow a malicious template to read YAML-parseable local files accessible to the user running Copier, potentially exposing their contents in the rendered output. The issue occurs because there is no containment check to ensure the resulting path stays within the subproject destination. This allows for parent-directory traversal (e.g., '../secret.yml') and absolute path reads (e.g., '/tmp/secret.yml'). The vulnerability exists even without using the --UNSAFE flag.

Recommendations Update Copier to version 9.14.1 or later.