CVE-2026-33154 PUBLISHED

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 20.03.2026 Updated: 20.03.2026

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	dynaconf
Product	dynaconf
Versions	Version < 3.2.13 is affected

References

Problem Types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE