PatchSiren cyber security CVE debrief

CVE-2026-41205 sqlalchemy CVE debrief

A path traversal vulnerability exists in Mako, a Python template library, prior to version 1.3.11. The vulnerability resides in `TemplateLookup.get_template()` when processing URIs beginning with double slashes (`//`). An inconsistency between two slash-stripping implementations allows attackers to bypass path normalization and traverse outside intended template directories. When applications pass untrusted input directly to `TemplateLookup.get_template()`, arbitrary files readable by the process can be returned as rendered template content. This represents a confidentiality breach without integrity or availability impact. The vulnerability was disclosed on 2026-04-23 and last modified on 2026-05-20. A fix is available in Mako 1.3.11.

Vendor: sqlalchemy
Product: mako
CVSS: HIGH 7.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-23
Original CVE updated: 2026-05-20
Advisory published: 2026-04-23
Advisory updated: 2026-05-20

Who should care

Organizations using Mako template library versions prior to 1.3.11, particularly those exposing template lookup functionality to untrusted input. Application developers implementing dynamic template resolution based on user-supplied identifiers. Security teams monitoring Python web applications for path traversal vulnerabilities in template engines.

Technical summary

The vulnerability stems from inconsistent slash-stripping logic in Mako's `TemplateLookup.get_template()` method. When a URI begins with `//`, one code path strips leading slashes while another does not, causing path normalization to fail. This allows directory traversal sequences like `//../../../secret.txt` to escape the intended template root directory. The attack requires network access but no authentication or user interaction. Successful exploitation yields high confidentiality impact by exposing arbitrary file contents readable by the application process. The vulnerability does not affect integrity or availability per the CVSS 4.0 vector.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Mako to version 1.3.11 or later to remediate the path traversal vulnerability
Validate and sanitize all untrusted input before passing to TemplateLookup.get_template()
Implement strict allowlist-based path validation for template lookups
Review application code for direct passing of user-controlled input to template lookup methods
Monitor for anomalous template resolution requests containing double-slash prefixes

Evidence notes

CVE description confirms path traversal via `//` prefix in URIs. Root cause identified as inconsistency between slash-stripping implementations. CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) confirms network-accessible, low-complexity attack with high confidentiality impact. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) classified as secondary weakness source. Fix commit e05ac61989a7fb9dd7dcde6cfd72dc48328719a3 and release 1.3.11 confirm remediation.

Official resources

CVE-2026-41205 CVE record
CVE.org
CVE-2026-41205 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory

2026-04-23T19:17:29.270Z