Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: python312Packages.dynaconf

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-33154
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 3 days ago
  • @LeSuisse accepted 1 week ago
  • @LeSuisse published on GitHub 1 week ago
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

References

Affected products

dynaconf
  • ==< 3.2.13

Matching in nixpkgs

Upstream advisory: https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
Upstream patch: https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7