Is copier affected by CVE-2026-34726?

PyPI copier is affected in <9.14.1.

Is CVE-2026-34726 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

medium

CVE-2026-34726

Q: Is CVE-2026-34726 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

PyPI · copier

Summary

Copier `_subdirectory` allows template root escape via parent-directory traversal

Severity: medium
EPSS: 0.4% (p30)
Also known as: GHSA-85v3-4m8g-hrh6
Published: 2026-04-01

References

https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6
https://nvd.nist.gov/vuln/detail/CVE-2026-34726
https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df

Related advisories

CVE-2025-55201 — high · PyPI/copier
CVE-2026-34730 — medium · PyPI/copier
CVE-2026-23986 — medium · PyPI/copier
CVE-2026-23968 — medium · PyPI/copier
CVE-2025-55214 — medium · PyPI/copier

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.