VYPR

Mako

by Sqlalchemy

pypi: mako

Source repositories

CVEs (3)

  • CVE-2026-44307HigMay 12, 2026
    risk 0.50cvss epss 0.01

    Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads…

  • CVE-2026-41205HigApr 23, 2026
    risk 0.42cvss 7.5epss 0.00

    Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable…

  • CVE-2022-40023Sep 7, 2022
    risk 0.00cvss epss 0.02

    Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.