{"id":"CVE-2026-41205","summary":"Mako: Path traversal via double-slash URI prefix in TemplateLookup","details":"Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.","aliases":["GHSA-v92g-xgxw-vvmm","PYSEC-2026-88"],"modified":"2026-05-28T03:55:04.819581333Z","published":"2026-04-23T18:52:24.194Z","related":["CGA-p9f5-36mv-9rxh","SUSE-SU-2026:1819-1","SUSE-SU-2026:1820-1","SUSE-SU-2026:21426-1","openSUSE-SU-2026:10616-1","openSUSE-SU-2026:20645-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41205.json"},"references":[{"type":"WEB","url":"https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_11"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41205.json"},{"type":"ADVISORY","url":"https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41205"},{"type":"FIX","url":"https://github.com/sqlalchemy/mako/commit/e05ac61989a7fb9dd7dcde6cfd72dc48328719a3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sqlalchemy/mako","events":[{"introduced":"0"},{"fixed":"217822b548fdf9fd730b2f3c1f1e770d4c816df9"}]}],"versions":["rel_1_3_10","rel_1_3_9","rel_1_3_8","rel_1_3_7","rel_1_3_6","rel_1_3_5","rel_1_3_4","rel_1_3_3","rel_1_3_2","rel_1_3_1","rel_1_3_0","rel_1_2_4","rel_1_2_3","rel_1_2_2","rel_1_2_1","rel_1_2_0","rel_1_1_5","rel_1_1_4","rel_1_1_3","rel_1_1_2","rel_1_1_1","rel_1_1_0","rel_1_0_14","rel_1_0_13","rel_1_0_12","rel_1_0_11","rel_1_0_10","rel_1_0_9","rel_1_0_8","rel_1_0_7","rel_1_0_6","rel_1_0_5","rel_1_0_4","rel_1_0_3","rel_1_0_2","rel_1_0_1","rel_1_0_0","rel_0_9_1","rel_0_9_0","rel_0_8_1","rel_0_8_0","rel_0_7_3","rel_0_7_2","rel_0_7_1","rel_0_7_0","rel_0_6_2","rel_0_6_1","rel_0_6_0","rel_0_5_0","rel_0_4_2","rel_0_4_1","rel_0_4_0","rel_0_3_6","rel_0_3_5","rel_0_3_4","rel_0_3_3","rel_0_3_2","rel_0_3_1","rel_0_3_0","rel_0_2_5","rel_0_2_4","rel_0_2_3","rel_0_2_2","rel_0_2_1","rel_0_2_0","rel_0_1_10","rel_0_1_9","rel_0_1_8","rel_0_1_7","rel_0_1_6","rel_0_1_5","rel_0_1_4","rel_0_1_3","rel_0_1_2","rel_0_1_1","rel_0_1_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41205.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}]}