CVE-2026-33154

HIGH 7.5

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

CVSS Score

7.5

EPSS Score

0.1%

EPSS Percentile

16th

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

CWE	CWE-1336 CWE-94
Vendor	dynaconf
Product	dynaconf
Published	Mar 20, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for dynaconf dynaconf

Be the first to know when new high vulnerabilities affecting dynaconf dynaconf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

dynaconf / dynaconf

< 3.2.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p github.com: https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7 github.com: https://github.com/dynaconf/dynaconf/releases/tag/3.2.13