Home

Description

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-27 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 3.2.13
affected

References

github.com/...naconf/security/advisories/GHSA-pxrr-hq57-q35p

github.com/...ommit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7

github.com/dynaconf/dynaconf/releases/tag/3.2.13

cve.org (CVE-2026-33154)

nvd.nist.gov (CVE-2026-33154)

Download JSON