CVE-2026-23968

Description

Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that its safe to generate a project from a safe template, i.e. one that doesnt use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copiers default setting). Version 9.11.2 patches the issue.