Skip to main content

Mako Templates CVE-2026-44307

HIGH
Path Traversal (CWE-22)
2026-05-06 https://github.com/sqlalchemy/mako GHSA-2h4p-vjrc-8xpq
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 12, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 22:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 22:38 vuln.today
Analysis Generated
May 06, 2026 - 22:38 vuln.today
CVE Published
May 06, 2026 - 21:45 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8,345 pypi packages depend on mako (483 direct, 7,901 indirect)

Ecosystem-wide dependent count for version 1.3.12.

DescriptionGitHub Advisory

Summary

On Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory.

Details

The root cause is a mismatch between posixpath (used for URI normalization in get_template()) and os.path (used for file access via os.path.isfile() and validation via os.path.normpath() in Template.__init__). On Windows, os.path is ntpath, which treats \ as a path separator, while posixpath treats it as a literal character.

The vulnerability chain:

  1. get_template() strips only leading / via re.sub(r"^\/+", "", uri) and normalizes with posixpath - backslash \ is treated as a literal character, so \..\ secret.txt passes through with .. undetected.
  2. Template.__init__() validation uses os.path.normpath() - on Windows this resolves \..\ secret.txt to \secret.txt, which does not start with .., so the startswith("..") check passes.
  3. os.path.isfile() on Windows interprets \ as a path separator, resolving the .. traversal and finding files outside the template directory.

Affected code

  • mako/lookup.py: TemplateLookup.get_template() uses posixpath.normpath/posixpath.join for path construction but os.path.isfile() for existence check
  • mako/template.py: Template.__init__() URI validation uses os.path.normpath() which on Windows resolves backslash traversal to a form that passes the startswith("..") guard

Impact

If an application passes user-controlled template names or include paths to TemplateLookup.get_template(), an attacker on Windows may be able to load and disclose readable files outside the configured template directory. The primary impact is local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template.

Remediation

The fix should normalize backslashes to forward slashes early in the URI processing pipeline, before any path operations, to ensure consistent behavior across platforms.

AnalysisAI

Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.

Technical ContextAI

Mako is a widely-used Python template engine in the SQLAlchemy ecosystem (pkg:pip/mako). This vulnerability exploits a platform-specific behavioral gap between Python's posixpath module (used for URI normalization in TemplateLookup.get_template()) and os.path/ntpath (used for filesystem operations on Windows). The posixpath module treats backslashes as literal characters rather than path separators, allowing traversal sequences like '\..\..' to pass validation undetected. When the URI reaches Template.__init__(), Windows' ntpath.normpath() collapses the backslash traversal to a form that bypasses the startswith('..') security check, then os.path.isfile() resolves the actual filesystem path using Windows path semantics. This is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal vulnerability arising from inconsistent path handling across platform-specific modules within the same codebase.

RemediationAI

Upgrade to Mako 1.3.12 or later, which normalizes backslashes to forward slashes early in URI processing (confirmed fix in commit 72e10c573ca0fbcbddd4455abca8ce92a61780d7, release tag rel_1_3_12 at https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12). If immediate upgrade is not feasible, implement input validation to reject or sanitize template URIs containing backslash characters before passing to TemplateLookup.get_template() - use uri.replace('\\', '/') or reject URIs matching regex pattern containing backslashes. Note this workaround may break legitimate use cases if applications intentionally use backslash-containing template names. As defense-in-depth, restrict filesystem permissions on the Python application service account to minimize exposure of sensitive files, and avoid designing application features that allow end-user control of template selection parameters. Audit existing code for patterns where HTTP parameters, form inputs, or external data sources flow into template lookup calls.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-44307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy