PYSEC-2026-2147

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/dynaconf/PYSEC-2026-2147.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2026-2147
Aliases
Published
2026-03-20T21:17:15.740Z
Modified
2026-07-13T07:30:27.811827716Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

References

Affected packages

PyPI / dynaconf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.13

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.0
1.2.0
1.2.1
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.2.3
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0
3.1.1rc1
3.1.1rc2
3.1.1rc3
3.1.1rc4
3.1.1rc5
3.1.1rc6
3.1.1
3.1.2
3.1.3rc1
3.1.3
3.1.4
3.1.5
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/dynaconf/PYSEC-2026-2147.yaml"