Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-41205

Mako: Path traversal via double-slash URI prefix in TemplateLookup
Back to all
CVE

CVE-2026-41205

Mako: Path traversal via double-slash URI prefix in TemplateLookup

Summary

TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations:

  • Template.init strips one leading / using if/slice
  • TemplateLookup.get_template() strips all leading / using re.sub(r"^\/+", "")

When a URI like //../../../../etc/passwd is passed:

  1. get_template() strips all / → ../../../../etc/passwd → file found via posixpath.join(dir_, u)
  2. Template.init strips one / → /../../../../etc/passwd → normpath → /etc/passwd
  3. /etc/passwd.startswith(..) → False → check bypassed

Impact

Arbitrary file read: any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template().

Note: this is exploitable at the library API level. HTTP-based exploitation is mitigated by Python's BaseHTTPRequestHandler which normalizes double-slash prefixes since CPython gh-87389. Applications using other HTTP servers that do not normalize paths may be affected.

Fix

Changed Template.init to use lstrip("/") instead of stripping only a single leading slash, so both code paths handle leading slashes consistently.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm, https://nvd.nist.gov/vuln/detail/CVE-2026-41205, https://github.com/sqlalchemy/mako/commit/e05ac61989a7fb9dd7dcde6cfd72dc48328719a3, https://github.com/pypa/advisory-database/tree/main/vulns/mako/PYSEC-2026-88.yaml, https://github.com/sqlalchemy/mako, https://github.com/sqlalchemy/mako/releases/tag/rel13_11

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00093%
EPSS Percentile
0.26102%
Introduced Version
0,1.2.0,1.0.6,0.8.0,0.7.0,0.6.0,0.4.0,0.3.6,0.3.0,0.2.3,0.2.0,0.1.6,0.1.5,0.1.3,0.1.2,0.1.0
Fix Available
1.3.11,2.11.2-r9,3.2.1-r0,3.2.1-r1,1.13.2-r0,1.13.3-r0,7.5.5-r4,3.11.1-r0,2.7.2-r2,0.9.2-r0,9.14-r1,5.0.0-r24

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading