{"id":"CVE-2026-44307","summary":"Mako: Path traversal via backslash URI on Windows in TemplateLookup","details":"Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \\..\\..\\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.","aliases":["GHSA-2h4p-vjrc-8xpq"],"modified":"2026-06-18T03:56:28.320407650Z","published":"2026-05-12T21:53:52.826Z","related":["CGA-5v3q-r344-q4xf"],"database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44307.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44307.json"},{"type":"ADVISORY","url":"https://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44307"},{"type":"REPORT","url":"https://github.com/sqlalchemy/mako/issues/435"},{"type":"FIX","url":"https://github.com/sqlalchemy/mako/commit/72e10c573ca0fbcbddd4455abca8ce92a61780d7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sqlalchemy/mako","events":[{"introduced":"0"},{"fixed":"d4d1639222d2da4f18c32d11f32c37f172f603bd"},{"fixed":"72e10c573ca0fbcbddd4455abca8ce92a61780d7"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.3.12"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["rel_1_3_11","rel_1_3_10","rel_1_3_9","rel_1_3_8","rel_1_3_7","rel_1_3_6","rel_1_3_5","rel_1_3_4","rel_1_3_3","rel_1_3_2","rel_1_3_1","rel_1_3_0","rel_1_2_4","rel_1_2_3","rel_1_2_2","rel_1_2_1","rel_1_2_0","rel_1_1_5","rel_1_1_4","rel_1_1_3","rel_1_1_2","rel_1_1_1","rel_1_1_0","rel_1_0_14","rel_1_0_13","rel_1_0_12","rel_1_0_11","rel_1_0_10","rel_1_0_9","rel_1_0_8","rel_1_0_7","rel_1_0_6","rel_1_0_5","rel_1_0_4","rel_1_0_3","rel_1_0_2","rel_1_0_1","rel_1_0_0","rel_0_9_1","rel_0_9_0","rel_0_8_1","rel_0_8_0","rel_0_7_3","rel_0_7_2","rel_0_7_1","rel_0_7_0","rel_0_6_2","rel_0_6_1","rel_0_6_0","rel_0_5_0","rel_0_4_2","rel_0_4_1","rel_0_4_0","rel_0_3_6","rel_0_3_5","rel_0_3_4","rel_0_3_3","rel_0_3_2","rel_0_3_1","rel_0_3_0","rel_0_2_5","rel_0_2_4","rel_0_2_3","rel_0_2_2","rel_0_2_1","rel_0_2_0","rel_0_1_10","rel_0_1_9","rel_0_1_8","rel_0_1_7","rel_0_1_6","rel_0_1_5","rel_0_1_4","rel_0_1_3","rel_0_1_2","rel_0_1_1","rel_0_1_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44307.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}