Mako fixes path traversal arbitrary file read in TemplateLookup

TL;DR — A path traversal edge-case in Mako template lookup can expose arbitrary server-readable files if an application passes attacker-controlled template URIs to TemplateLookup.get_template().

What happened

Mako is a Python template library commonly embedded into application stacks that render server-side templates.

CVE-2026-41205 describes a High-severity (CVSS v4.0 7.7) path traversal issue in TemplateLookup.get_template() where a URI starting with // (for example, //../../../secret.txt) can be used to escape the intended template root. The CVE record states that any file readable by the process can be returned as rendered template content when an application passes untrusted input directly into TemplateLookup.get_template().

This is a classic “library API misuse becomes remote file read” failure mode: teams often treat template selection as low-risk glue code, but it frequently sits on attacker-controlled request parameters in real applications.

Who is impacted

• Applications using mako versions < 1.3.11.
• Any deployment where untrusted input can reach TemplateLookup.get_template() (directly or indirectly), including “theme”, “template”, or “layout” selectors.

What to do now

• Follow vendor remediation guidance and apply a release that includes the fix; the CVE record states the issue is fixed in 1.3.11.
• Inventory services that import mako (application dependencies, base images, serverless bundles) and identify any runtime paths that allow user input to influence template names/URIs.
• Add compensating controls while upgrading: do not pass raw request parameters to TemplateLookup.get_template(); instead, use an allowlist of known template names and map external inputs to internal template identifiers.
• If compromise is suspected, treat this as potential sensitive-file exposure and review access logs for unexpected template paths containing traversal sequences (e.g., ../) and double-slash prefixes (//).