CVE-2026-23968
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| copier-org | copier | to 9.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Copier, a library and CLI app for rendering project templates. Before version 9.11.2, Copier incorrectly suggests that generating a project from a safe template is secure. However, a safe template can include arbitrary files or directories outside the local template clone location by exploiting symbolic links combined with the default setting `_preserve_symlinks: false`. This allows unintended file inclusion from outside the template directory. Version 9.11.2 fixes this issue.
How can this vulnerability impact me? :
This vulnerability can lead to the inclusion of arbitrary files or directories from outside the intended template location when generating projects. This could result in unauthorized access to sensitive files or data leakage, potentially compromising the security of your system or project environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Copier to version 9.11.2 or later, as this version patches the issue with unsafe symlink handling that allows arbitrary files/directories outside the local template clone location to be included.