Back to search
CVE-2026-44307
Published: May 12, 2026
Modified: May 13, 2026
PUBLISHED
Description
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.
| Vendor | Product | Versions |
|---|---|---|
sqlalchemy | mako | affected < 1.3.12 |
Weaknesses (CWE)
References
https://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq
x_refsource_CONFIRM
https://github.com/sqlalchemy/mako/issues/435
x_refsource_MISC
https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now