Path Traversal in Sqlalchemy Mako

CVE-2026-44307

Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in Templ…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.003 (52.4th percentile) — read the EPSS interpretation.

Affected products

Sqlalchemy Mako — versions < 1.3.12

Weakness classification (CWE)

CWE-22 — Path Traversal

References

security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_CONFIRM)