Threat Advisory

Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44307 with a CVSS score of 8.7 is a vulnerability in Mako's TemplateLookup functionality on Windows, allowing an attacker to perform path traversal via backslash URI, bypassing the directory traversal check and enabling reads of files outside the configured template directory. The vulnerability arises from a mismatch between posixpath (used for URI normalization) and os .path (used for file access and validation) on Windows. An attacker on Windows may exploit this by passing user-controlled template names or include paths to TemplateLookup.get_template(), potentially disclosing readable files outside the configured template directory, with the primary impact being local file disclosure. Additionally, if the targeted file contains Mako /Python template syntax, it may also be parsed and executed as a template. The business impact and consequences of exploitation include unauthorized access to sensitive data and potential system compromise, with the prerequisite for exploitation being the ability to pass user-controlled input to TemplateLookup .get_template().[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44307 with a CVSS score of 8.7 is a vulnerability in Mako's TemplateLookup functionality on Windows, allowing an attacker to perform path traversal via backslash URI, bypassing the directory traversal check and enabling reads of files outside the configured template directory. The vulnerability arises from a mismatch between posixpath (used for URI normalization) and os .path (used for file access and validation) on Windows. An attacker on Windows may exploit this by passing user-controlled template names or include paths to TemplateLookup.get_template(), potentially disclosing readable files outside the configured template directory, with the primary impact being local file disclosure. Additionally, if the targeted file contains Mako /Python template syntax, it may also be parsed and executed as a template. The business impact and consequences of exploitation include unauthorized access to sensitive data and potential system compromise, with the prerequisite for exploitation being the ability to pass user-controlled input to TemplateLookup .get_template().[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update Mako to version 1.3.12.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2h4p-vjrc-8xpq

[/emaillocker]
crossmenu