High severity7.5NVD Advisory· Published Apr 23, 2026· Updated May 20, 2026
CVE-2026-41205
CVE-2026-41205
Description
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MakoPyPI | < 1.3.11 | 1.3.11 |
Affected products
24cpe:2.3:a:sqlalchemy:mako:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sqlalchemy:mako:*:*:*:*:*:*:*:*range: <1.3.11
- (no CPE)range: <=1.3.10
- osv-coords22 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/dagsterpkg:apk/chainguard/dagster-fipspkg:apk/chainguard/jupyter-base-notebookpkg:apk/chainguard/mlflowpkg:apk/chainguard/nemopkg:apk/chainguard/open-webuipkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.11-prefect-fipspkg:apk/chainguard/py3.12-prefect-fipspkg:apk/chainguard/py3.13-prefect-fipspkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/wolfi/airflow-3pkg:apk/wolfi/jupyter-base-notebookpkg:apk/wolfi/mlflowpkg:apk/wolfi/open-webuipkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:rpm/opensuse/python-Mako&distro=openSUSE%20Tumbleweed
< 2.11.2-r9+ 21 more
- (no CPE)range: < 2.11.2-r9
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 3.2.1-r1
- (no CPE)range: < 1.13.2-r0
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 7.5.5-r4
- (no CPE)range: < 3.11.1-r0
- (no CPE)range: < 2.7.2-r2
- (no CPE)range: < 0.9.2-r0
- (no CPE)range: < 9.14-r1
- (no CPE)range: < 3.6.27-r0
- (no CPE)range: < 3.6.27-r0
- (no CPE)range: < 3.6.27-r0
- (no CPE)range: < 5.0.0-r24
- (no CPE)range: < 6.0.0-r9
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 7.5.5-r4
- (no CPE)range: < 3.11.1-r0
- (no CPE)range: < 0.9.2-r0
- (no CPE)range: < 5.0.0-r24
- (no CPE)range: < 6.0.0-r9
- (no CPE)range: < 1.3.11-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-v92g-xgxw-vvmmghsaADVISORY
- github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmmnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41205ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mako/PYSEC-2026-88.yamlghsaWEB
- github.com/sqlalchemy/mako/commit/e05ac61989a7fb9dd7dcde6cfd72dc48328719a3nvdWEB
- github.com/sqlalchemy/mako/releases/tag/rel_1_3_11nvdWEB
News mentions
0No linked articles in our index yet.