Description
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mako, a Python template library, contains a directory traversal flaw that can be triggered on Windows systems by providing a URI that includes backslash traversal sequences (for example, "\\..\\..\\secret.txt"). The vulnerability bypasses the traversal check performed in Template.__init__ and the subsequent posixpath-based normalization in TemplateLookup.get_template(), allowing unauthorized reading of files outside the intended template directory. This flaw is a classic file inclusion attack and can lead to disclosure of sensitive system files or other confidential data managed by the application.

Affected Systems

The issue affects all installations of Mako older than version 1.3.12 that are deployed on Windows platforms. The library is distributed by SQLAlchemy. Users running a version prior to 1.3.12 are vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating a high severity level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of an EPSS score does not diminish the potential for exploitation. Attackers can invoke the vulnerability remotely through web applications or services that accept user-supplied template names; the backslash path traversal technique exploits a Windows-specific limitation in the library's path handling logic. Given the high CVSS score and the possibility of remote exploitation, this vulnerability requires prompt remediation.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mako version 1.3.12 or later, which implements proper traversal checks and path normalization.
  • Configure the application to restrict template rendering to explicit, whitelisted file names and directories to eliminate unintended access.
  • Sanitize all user-supplied template URIs by removing backslash characters and rejecting any traversal patterns before passing them to Mako's TemplateLookup.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2h4p-vjrc-8xpq Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup
History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Sqlalchemy
Sqlalchemy mako
Vendors & Products Sqlalchemy
Sqlalchemy mako

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.
Title Mako: Path traversal via backslash URI on Windows in TemplateLookup
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sqlalchemy Mako
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:53:52.826Z

Reserved: 2026-05-05T19:00:06.021Z

Link: CVE-2026-44307

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:37.567

Modified: 2026-05-12T22:16:37.567

Link: CVE-2026-44307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses