CVE-2026-41205
- Source
- https://cve.org/CVERecord?id=CVE-2026-41205
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41205.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-41205
- Aliases
- Downstream
- Related
- Published
- 2026-04-23T18:52:24.194Z
- Modified
- 2026-06-18T03:54:27.733152343Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Mako: Path traversal via double-slash URI prefix in TemplateLookup
- Details
-
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.gettemplate(). This vulnerability is fixed in 1.3.11.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41205.json" }- References
-
- https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_11
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41205.json
- https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm
- https://nvd.nist.gov/vuln/detail/CVE-2026-41205
- https://github.com/sqlalchemy/mako/commit/e05ac61989a7fb9dd7dcde6cfd72dc48328719a3
Affected packages
Git / github.com/sqlalchemy/mako
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sqlalchemy/mako
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Database specific
{ "source": [ "CPE_RANGE", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "1.3.11" } ], "cpe": "cpe:2.3:a:sqlalchemy:mako:*:*:*:*:*:*:*:*" }
Affected versions
Other
rel_0_1_0
rel_0_1_1
rel_0_1_10
rel_0_1_2
rel_0_1_3
rel_0_1_4
rel_0_1_5
rel_0_1_6
rel_0_1_7
rel_0_1_8
rel_0_1_9
rel_0_2_0
rel_0_2_1
rel_0_2_2
rel_0_2_3
rel_0_2_4
rel_0_2_5
rel_0_3_0
rel_0_3_1
rel_0_3_2
rel_0_3_3
rel_0_3_4
rel_0_3_5
rel_0_3_6
rel_0_4_0
rel_0_4_1
rel_0_4_2
rel_0_5_0
rel_0_6_0
rel_0_6_1
rel_0_6_2
rel_0_7_0
rel_0_7_1
rel_0_7_2
rel_0_7_3
rel_0_8_0
rel_0_8_1
rel_0_9_0
rel_0_9_1
rel_1_0_0
rel_1_0_1
rel_1_0_10
rel_1_0_11
rel_1_0_12
rel_1_0_13
rel_1_0_14
rel_1_0_2
rel_1_0_3
rel_1_0_4
rel_1_0_5
rel_1_0_6
rel_1_0_7
rel_1_0_8
rel_1_0_9
rel_1_1_0
rel_1_1_1
rel_1_1_2
rel_1_1_3
rel_1_1_4
rel_1_1_5
rel_1_2_0
rel_1_2_1
rel_1_2_2
rel_1_2_3
rel_1_2_4
rel_1_3_0
rel_1_3_1
rel_1_3_10
rel_1_3_2
rel_1_3_3
rel_1_3_4
rel_1_3_5
rel_1_3_6
rel_1_3_7
rel_1_3_8
rel_1_3_9