Cyber Resilience

CVE-2026-44307

High

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44307 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the…

more

configured template directory. This vulnerability is fixed in 1.3.12.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in template library directly enables arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20051Shared CWE-22
CVE-2026-39369Shared CWE-22
CVE-2025-24605Shared CWE-22
CVE-2026-41205Shared CWE-22
CVE-2026-41419Shared CWE-22
CVE-2026-42600Shared CWE-22
CVE-2025-13801Shared CWE-22
CVE-2025-45691Shared CWE-22
CVE-2026-7182Shared CWE-22
CVE-2025-68921Shared CWE-22

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References