Skip to content
CVSS 7.5 · HIGH

CVE-2026-41205

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

View on NVD

Analysis

Mako versions before 1.3.11 are vulnerable to path traversal when processing URIs starting with double slashes. If your application passes untrusted input to TemplateLookup.get_template(), an attacker could potentially read sensitive files on the server. Update to version 1.3.11 or later to fix this issue.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-22

EPSS

Probability of exploitation (next 30 days): 0.0009 (0.1%)
Percentile: 25.3%
EPSS: 2026-05-06

Affects

sqlalchemy:mako

Technical description

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Published: 4/23/2026, 7:17:29 PM
Last modified: 4/28/2026, 7:14:56 PM

References

HomeEventsBlogResourcesTeam