{"id":"PYSEC-2026-2147","details":"dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.","aliases":["CVE-2026-33154","GHSA-pxrr-hq57-q35p"],"modified":"2026-07-13T07:30:27.811827716Z","published":"2026-03-20T21:17:15.740Z","references":[{"type":"ADVISORY","url":"https://github.com/dynaconf/dynaconf/releases/tag/3.2.13"},{"type":"FIX","url":"https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7"},{"type":"EVIDENCE","url":"https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p"}],"affected":[{"package":{"name":"dynaconf","ecosystem":"PyPI","purl":"pkg:pypi/dynaconf"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.13"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.2.0","0.2.1","0.2.10","0.2.11","0.2.12","0.2.13","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.8","0.2.9","0.3.0","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.6.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.1.0","1.2.0","1.2.1","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","2.2.0","2.2.1","2.2.2","2.2.3","3.0.0","3.0.0rc1","3.0.0rc2","3.1.0","3.1.1","3.1.10","3.1.11","3.1.12","3.1.1rc1","3.1.1rc2","3.1.1rc3","3.1.1rc4","3.1.1rc5","3.1.1rc6","3.1.2","3.1.3","3.1.3rc1","3.1.4","3.1.5","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.10","3.2.11","3.2.12","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/dynaconf/PYSEC-2026-2147.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}