2461244 – (CVE-2026-41205) CVE-2026-41205 mako: python: Mako: Information disclosure via path traversal vulnerability

Bug 2461244 (CVE-2026-41205) - CVE-2026-41205 mako: python: Mako: Information disclosure via path traversal vulnerability

Summary: CVE-2026-41205 mako: python: Mako: Information disclosure via path traversal ...

Keywords:
Status:	NEW
Alias:	CVE-2026-41205
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 20:01 UTC by OSIDB Bzimport
Modified:	2026-04-25 11:29 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 20:01:25 UTC

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Note You need to log in before you can comment on or make changes to this bug.

anthomas
aprice
bdettelb
dfreiber
doconnor
drow
ehelms
ggainey
ilpinto
jburrell
jkoehler
jsamir
juwatts
kgaikwad
lphiri
ltomasbo
mbarnett
mhulan
nmoumoul
oezr
osousa
pcreech
rchan
rhel-process-autobot
rjohnson
smallamp
teagle
tmalecek
vkumar
watson-tool-maintainers
ykashtan