High severity7.5NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026
CVE-2026-33154
CVE-2026-33154
Description
dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dynaconfPyPI | < 3.2.13 | 3.2.13 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/awxpkg:pypi/dynaconfpkg:rpm/opensuse/python-dynaconf&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-dynaconf&distro=openSUSE%20Tumbleweed
< 24.6.1-r31+ 3 more
- (no CPE)range: < 24.6.1-r31
- (no CPE)range: < 3.2.13
- (no CPE)range: < 3.2.5-bp160.2.1
- (no CPE)range: < 3.2.13-1.1
Patches
Vulnerability mechanics
References
5- github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7nvdPatchWEB
- github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35pnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-pxrr-hq57-q35pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33154ghsaADVISORY
- github.com/dynaconf/dynaconf/releases/tag/3.2.13nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.