{"id":"PYSEC-2026-1122","summary":"Ansible template injection vulnerability","details":"A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.","aliases":["CVE-2023-5764","GHSA-7j69-qfc3-2fq9"],"modified":"2026-07-07T17:47:17.317137118Z","published":"2026-07-07T11:45:28.392678Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5764"},{"type":"WEB","url":"https://github.com/ansible/ansible/commit/270b39f6ff02511a2199505161218cbd1a5ae34f"},{"type":"WEB","url":"https://github.com/ansible/ansible/commit/7239d2d371bc6e274cbb7314e01431adce6ae25a"},{"type":"WEB","url":"https://github.com/ansible/ansible/commit/fea130480d261ea5bf6fcd5cf19a348f1686ceb1"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2023:7773"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2023-5764"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2247629"},{"type":"WEB","url":"https://github.com/ansible/ansible"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU"},{"type":"PACKAGE","url":"https://pypi.org/project/ansible-core"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-7j69-qfc3-2fq9"}],"affected":[{"package":{"name":"ansible-core","ecosystem":"PyPI","purl":"pkg:pypi/ansible-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.14.12"},{"introduced":"2.15.0"},{"fixed":"2.15.8"},{"introduced":"2.16.0"},{"fixed":"2.16.1"}]}],"versions":["0.0.1a1","2.11.0","2.11.0b1","2.11.0b2","2.11.0b3","2.11.0b4","2.11.0rc1","2.11.0rc2","2.11.1","2.11.10","2.11.10rc1","2.11.11","2.11.11rc1","2.11.12","2.11.12rc1","2.11.1rc1","2.11.2","2.11.2rc1","2.11.3","2.11.3rc1","2.11.4","2.11.4rc1","2.11.5","2.11.5rc1","2.11.6","2.11.6rc1","2.11.7","2.11.7rc1","2.11.8","2.11.8rc1","2.11.9","2.11.9rc1","2.12.0","2.12.0b1","2.12.0b2","2.12.0rc1","2.12.1","2.12.10","2.12.10rc1","2.12.1rc1","2.12.2","2.12.2rc1","2.12.3","2.12.3rc1","2.12.4","2.12.4rc1","2.12.5","2.12.5rc1","2.12.6","2.12.6rc1","2.12.7","2.12.7rc1","2.12.8","2.12.8rc1","2.12.9","2.12.9rc1","2.13.0","2.13.0b0","2.13.0b1","2.13.0rc1","2.13.1","2.13.10","2.13.10rc1","2.13.11","2.13.11rc1","2.13.12","2.13.12rc1","2.13.13","2.13.13rc1","2.13.1rc1","2.13.2","2.13.2rc1","2.13.3","2.13.3rc1","2.13.4","2.13.4rc1","2.13.5","2.13.5rc1","2.13.6","2.13.6rc1","2.13.7","2.13.7rc1","2.13.8","2.13.8rc1","2.13.9","2.13.9rc1","2.14.0","2.14.0b1","2.14.0b2","2.14.0b3","2.14.0rc1","2.14.0rc1.post0","2.14.0rc2","2.14.1","2.14.10","2.14.10rc1","2.14.11","2.14.11rc1","2.14.12rc1","2.14.1rc1","2.14.2","2.14.2rc1","2.14.3","2.14.3rc1","2.14.4","2.14.4rc1","2.14.5","2.14.5rc1","2.14.6","2.14.6rc1","2.14.7","2.14.7rc1","2.14.8","2.14.8rc1","2.14.9","2.14.9rc1","2.15.0","2.15.1","2.15.1rc1","2.15.2","2.15.2rc1","2.15.3","2.15.3rc1","2.15.4","2.15.4rc1","2.15.5","2.15.5rc1","2.15.6","2.15.6rc1","2.15.7","2.15.7rc1","2.16.0","2.16.1rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible-core/PYSEC-2026-1122.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"}]}