Source: python-dynaconf Version: 3.2.12-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-dynaconf. CVE-2026-33154[0]: | dynaconf is a configuration management tool for Python. Prior to | version 3.2.13, Dynaconf is vulnerable to Server-Side Template | Injection (SSTI) due to unsafe template evaluation in the @Jinja | resolver. When the jinja2 package is installed, Dynaconf evaluates | template expressions embedded in configuration values without a | sandboxed environment. This issue has been patched in version | 3.2.13. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33154 https://www.cve.org/CVERecord?id=CVE-2026-33154 [1] https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p [2] https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
