CVE-2026-41205

High

Published: 23 April 2026

Published

23 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 25.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41205 is a high-severity Path Traversal (CWE-22) vulnerability in Sqlalchemy Mako. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely remediation of flaws like the path traversal vulnerability in Mako prior to version 1.3.11 by applying vendor patches.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of untrusted inputs passed to TemplateLookup.get_template() to block path traversal via malformed URIs starting with '//'.

AC-6 Least Privilege good match

prevent

AC-6 limits the file system access privileges of the process running Mako, preventing disclosure of sensitive files even if path traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability directly allows remote reading of arbitrary local files readable by the process via untrusted input to get_template(), enabling collection of sensitive data from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the…

process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Deeper analysisAI

CVE-2026-41205 is a path traversal vulnerability (CWE-22) in Mako, a Python template library, affecting versions prior to 1.3.11. The issue affects the TemplateLookup.get_template() function, which mishandles URIs starting with "//" (e.g., "//../../../secret.txt") due to an inconsistency between two slash-stripping implementations. This allows any file readable by the process to be accessed and returned as rendered template content when untrusted input is passed directly to the function.

Remote attackers can exploit this vulnerability over the network with no authentication, privileges, or user interaction required (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation requires an application to pass untrusted input directly to TemplateLookup.get_template(), enabling the attacker to traverse directories and disclose the contents of sensitive files readable by the hosting process through rendered template output.

The vulnerability is addressed in Mako version 1.3.11. Additional details on the issue and remediation are available in the GitHub Security Advisory at https://github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm.