CVE-2026-44307

Publication date 12 May 2026

Last updated 27 May 2026

Ubuntu priority

Description

Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mako	26.04 LTS resolute	Not affected
	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

This only affects mako on windows

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-44307
https://github.com/sqlalchemy/mako/commit/72e10c573ca0fbcbddd4455abca8ce92a61780d7
https://github.com/sqlalchemy/mako/issues/435
https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12
https://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq