{"id":"CVE-2026-33154","summary":"dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver","details":"dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.","aliases":["GHSA-pxrr-hq57-q35p"],"modified":"2026-04-10T05:43:08.957067Z","published":"2026-03-20T20:22:59.090Z","related":["CGA-jhqx-7vg2-54hh","openSUSE-SU-2026:10411-1","openSUSE-SU-2026:20429-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33154.json","cwe_ids":["CWE-1336","CWE-94"]},"references":[{"type":"WEB","url":"https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33154.json"},{"type":"ADVISORY","url":"https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33154"},{"type":"FIX","url":"https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dynaconf/dynaconf","events":[{"introduced":"0"},{"fixed":"2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"}]},{"type":"GIT","repo":"https://github.com/dynaconf/dynaconf","events":[{"introduced":"0"},{"fixed":"3c39a2cc910e4e018f9c745494b019e979f587d1"}]}],"versions":["0.1.2","0.2.0","0.2.1","0.2.7","0.3.0","0.4.1","0.4.4","0.4.5","0.5.0","0.5.2","0.6.0","0.7.0","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.1.0","3.2.10","3.2.11","3.2.12","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","python2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33154.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}