DEBIAN-CVE-2026-41205

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-41205

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41205.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-41205

Upstream

CVE-2026-41205

Published

2026-04-23T19:17:29.270Z

Modified

2026-04-24T17:02:19.532032Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.gettemplate(). This vulnerability is fixed in 1.3.11.

References

https://security-tracker.debian.org/tracker/CVE-2026-41205

Affected packages

Debian:11 / mako

Package

Name: mako
Purl: pkg:deb/debian/mako?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3+ds1-2

1.1.3+ds1-2+deb11u1

1.1.3+ds1-3

1.2.2+ds1-1

1.2.4+ds-1

1.2.4+ds-2

1.3.1-1

1.3.2-1

1.3.5-1

1.3.5-1.1

1.3.6-1

1.3.8-1

1.3.8-2

1.3.9-1

1.3.10-1

1.3.10-2

1.3.10-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41205.json"

Debian:12 / mako

Package

Name: mako
Purl: pkg:deb/debian/mako?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.4+ds-1

1.2.4+ds-2

1.3.1-1

1.3.2-1

1.3.5-1

1.3.5-1.1

1.3.6-1

1.3.8-1

1.3.8-2

1.3.9-1

1.3.10-1

1.3.10-2

1.3.10-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41205.json"

Debian:13 / mako

Package

Name: mako
Purl: pkg:deb/debian/mako?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.9-1

1.3.10-1

1.3.10-2

1.3.10-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41205.json"

Debian:14 / mako

Package

Name: mako
Purl: pkg:deb/debian/mako?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.9-1

1.3.10-1

1.3.10-2

1.3.10-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-41205.json"