PYSEC-2026-88

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/mako/PYSEC-2026-88.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-88

Aliases

Published

2026-04-23T19:17:29.270Z

Modified

2026-05-20T09:19:06.232960Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.gettemplate(). This vulnerability is fixed in 1.3.11.

References

https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm

Affected packages

PyPI / mako

Package

Name: mako; View open source insights on deps.dev
Purl: pkg:pypi/mako

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.11

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.10

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.1

0.4.2

0.5.0

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

0.7.2

0.7.3

0.8.0

0.8.1

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/mako/PYSEC-2026-88.yaml"