Vulnerability Description
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.
Related Weaknesses (CWE)
References
- https://github.com/sqlalchemy/mako/commit/72e10c573ca0fbcbddd4455abca8ce92a61780
- https://github.com/sqlalchemy/mako/issues/435
- https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12
- https://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq
FAQ
What is CVE-2026-44307?
CVE-2026-44307 is a documented vulnerability. Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the...
How severe is CVE-2026-44307?
CVSS scoring is not yet available for CVE-2026-44307. Check NVD for updates.
Is there a patch for CVE-2026-44307?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.