Search for packages
| purl | pkg:pypi/mako@0.3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5ztu-aqpn-97ar
Aliases: CVE-2026-44307 GHSA-2h4p-vjrc-8xpq |
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12. |
Affected by 0 other vulnerabilities. |
|
VCID-7157-v8k4-gbbx
Aliases: CVE-2022-40023 GHSA-v973-fxgf-6xhp PYSEC-2022-260 |
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin. |
Affected by 2 other vulnerabilities. |
|
VCID-78vq-wbe5-aygj
Aliases: CVE-2026-41205 GHSA-v92g-xgxw-vvmm PYSEC-2026-88 |
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11. |
Affected by 1 other vulnerability. |
|
VCID-kqgv-6uaw-wbg8
Aliases: CVE-2010-2480 GHSA-7q8x-38mc-p84f PYSEC-2010-1 |
Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||