CVE-2026-23986

Name of the Vulnerable Software and Affected Versions Copier versions prior to 9.11.2

Description Copier, a library and CLI app for rendering project templates, allows a malicious template author to overwrite arbitrary files. This occurs because a safe template can write to directories outside the intended destination path by utilizing a symlink with preserve symlinks: true and a generated directory structure where the rendered path resides within the symlinked directory. The exploit is non-deterministic, as Copier uses os.scandir which yields directory entries in an arbitrary order. The issue allows overwriting files based on the user's write permissions.

Recommendations Update Copier to version 9.11.2 or later.