Vulnerable Library - Mako-1.2.4-py3-none-any.whl
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/03/3b/68690a035ba7347860f1b8c0cde853230ba69ff41df5884ea7d89fe68cd3/Mako-1.2.4-py3-none-any.whl
Path to dependency file: /.ws-temp-THFHIH-requirements.txt
Path to vulnerable library: /.ws-temp-THFHIH-requirements.txt,/tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (Mako version) |
Remediation Possible** |
| CVE-2026-44307 |
 High |
7.5 |
Mako-1.2.4-py3-none-any.whl |
Direct |
1.3.12 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-44307
Vulnerable Library - Mako-1.2.4-py3-none-any.whl
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/03/3b/68690a035ba7347860f1b8c0cde853230ba69ff41df5884ea7d89fe68cd3/Mako-1.2.4-py3-none-any.whl
Path to dependency file: /.ws-temp-THFHIH-requirements.txt
Path to vulnerable library: /.ws-temp-THFHIH-requirements.txt,/tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Dependency Hierarchy:
- ❌ Mako-1.2.4-py3-none-any.whl (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Summary On Windows, a URI using backslash traversal (e.g. "....\ secret.txt") bypasses the directory traversal check in "Template.init" and the "posixpath"-based normalization in "TemplateLookup.get_template()", allowing reads of files outside the configured template directory. Details The root cause is a mismatch between "posixpath" (used for URI normalization in "get_template()") and "os.path" (used for file access via "os.path.isfile()" and validation via "os.path.normpath()" in "Template.init"). On Windows, "os.path" is "ntpath", which treats "" as a path separator, while "posixpath" treats it as a literal character. The vulnerability chain: 1. "get_template()" strips only leading "/" via "re.sub(r"^/+", "", uri)" and normalizes with "posixpath" — backslash "" is treated as a literal character, so "..\ secret.txt" passes through with ".." undetected. 2. "Template.init()" validation uses "os.path.normpath()" — on Windows this resolves "..\ secret.txt" to "\secret.txt", which does not start with "..", so the "startswith("..")" check passes. 3. "os.path.isfile()" on Windows interprets "" as a path separator, resolving the ".." traversal and finding files outside the template directory. Affected code - "mako/lookup.py": "TemplateLookup.get_template()" uses "posixpath.normpath"/"posixpath.join" for path construction but "os.path.isfile()" for existence check - "mako/template.py": "Template.init()" URI validation uses "os.path.normpath()" which on Windows resolves backslash traversal to a form that passes the "startswith("..")" guard Impact If an application passes user-controlled template names or include paths to "TemplateLookup.get_template()", an attacker on Windows may be able to load and disclose readable files outside the configured template directory. The primary impact is local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template. Remediation The fix should normalize backslashes to forward slashes early in the URI processing pipeline, before any path operations, to ensure consistent behavior across platforms.
Publish Date: 2026-05-08
URL: CVE-2026-44307
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2h4p-vjrc-8xpq
Release Date: 2026-05-08
Fix Resolution: 1.3.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/03/3b/68690a035ba7347860f1b8c0cde853230ba69ff41df5884ea7d89fe68cd3/Mako-1.2.4-py3-none-any.whl
Path to dependency file: /.ws-temp-THFHIH-requirements.txt
Path to vulnerable library: /.ws-temp-THFHIH-requirements.txt,/tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Mako-1.2.4-py3-none-any.whl
A super-fast templating language that borrows the best ideas from the existing templating languages.
Library home page: https://files.pythonhosted.org/packages/03/3b/68690a035ba7347860f1b8c0cde853230ba69ff41df5884ea7d89fe68cd3/Mako-1.2.4-py3-none-any.whl
Path to dependency file: /.ws-temp-THFHIH-requirements.txt
Path to vulnerable library: /.ws-temp-THFHIH-requirements.txt,/tmp/ws-scm/Aspect-Based-Sentiment-Analysis
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Summary On Windows, a URI using backslash traversal (e.g. "....\ secret.txt") bypasses the directory traversal check in "Template.init" and the "posixpath"-based normalization in "TemplateLookup.get_template()", allowing reads of files outside the configured template directory. Details The root cause is a mismatch between "posixpath" (used for URI normalization in "get_template()") and "os.path" (used for file access via "os.path.isfile()" and validation via "os.path.normpath()" in "Template.init"). On Windows, "os.path" is "ntpath", which treats "" as a path separator, while "posixpath" treats it as a literal character. The vulnerability chain: 1. "get_template()" strips only leading "/" via "re.sub(r"^/+", "", uri)" and normalizes with "posixpath" — backslash "" is treated as a literal character, so "..\ secret.txt" passes through with ".." undetected. 2. "Template.init()" validation uses "os.path.normpath()" — on Windows this resolves "..\ secret.txt" to "\secret.txt", which does not start with "..", so the "startswith("..")" check passes. 3. "os.path.isfile()" on Windows interprets "" as a path separator, resolving the ".." traversal and finding files outside the template directory. Affected code - "mako/lookup.py": "TemplateLookup.get_template()" uses "posixpath.normpath"/"posixpath.join" for path construction but "os.path.isfile()" for existence check - "mako/template.py": "Template.init()" URI validation uses "os.path.normpath()" which on Windows resolves backslash traversal to a form that passes the "startswith("..")" guard Impact If an application passes user-controlled template names or include paths to "TemplateLookup.get_template()", an attacker on Windows may be able to load and disclose readable files outside the configured template directory. The primary impact is local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template. Remediation The fix should normalize backslashes to forward slashes early in the URI processing pipeline, before any path operations, to ensure consistent behavior across platforms.
Publish Date: 2026-05-08
URL: CVE-2026-44307
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2h4p-vjrc-8xpq
Release Date: 2026-05-08
Fix Resolution: 1.3.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.