High severity7.5NVD Advisory· Published Apr 23, 2026· Updated Apr 28, 2026

CVE-2026-41205

Description

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
MakoPyPI	< 1.3.11	1.3.11

Affected products

Sqlalchemy/Mako
cpe:2.3:a:sqlalchemy:mako:*:*:*:*:*:*:*:*
Range: <1.3.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-v92g-xgxw-vvmmghsaADVISORY
github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmmnvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-41205ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000