CVE-2026-53951
copier-org · copier
Copier contains vulnerabilities related to path traversal (CWE-22) and code injection (CWE-94) during the rendering of project templates.
Executive summary
A path traversal and code injection vulnerability in Copier could allow malicious project templates to execute arbitrary code on the host system.
Vulnerability
This vulnerability involves the improper limitation of pathnames and improper control of code generation during template rendering. An attacker can exploit this by providing a crafted template that forces the application to access restricted directories or inject malicious code into the generated project.
Business impact
Exploitation could lead to full system compromise if an attacker successfully injects code during the template generation process. With a CVSS score of 8.8, the impact includes unauthorized access to sensitive files on the host machine and the potential for persistent backdoors within generated software projects.
Remediation
Immediate Action: Update the Copier library and CLI application to version 9.15.2 or later to address the path traversal and injection flaws.
Proactive Monitoring: Audit generated project output for unexpected files or malicious scripts that may have been introduced during the template rendering process.
Compensating Controls: Only utilize templates from trusted and verified sources; avoid rendering templates from unknown or external repositories until the software has been patched.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Developers and DevOps engineers utilizing Copier for project scaffolding must upgrade to version 9.15.2 immediately. The potential for arbitrary code execution makes this a high-priority security update for all environments where project templates are generated.