CVE-2026-33154

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

94

Improper Control of Generation of Code ('Code Injection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Integrity Confidentiality Availability Non-Repudiation
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities
Applicable Platforms
Languages: Interpreted
Technologies: AI/ML
Likelihood of Exploit: Medium
View CWE Details
1336

Improper Neutralization of Special Elements Used in a Template Engine

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
Languages: Interpreted, Java, JavaScript, PHP, Python
Technologies: AI/ML, Client Server, Not Technology-Specific
View CWE Details
https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0c…
https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e86…
https://github.com/dynaconf/dynaconf/releases/tag/3.2.13
https://github.com/dynaconf/dynaconf/releases/tag/3.2.13
https://github.com/dynaconf/dynaconf/security/advisories/GH…
https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p