Withdrawn Advisory
This advisory was withdrawn on May 23, 2026. Withdrawn advisories are no longer considered active.
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. ....\ secret.txt) bypasses the directory traversal check in Template.init and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.
1.1.3+ds1-21.1.3+ds1-2ubuntu0.11.1.3+ds1-2ubuntu0.21.2.4+ds-21.3.1-11.3.2-11.3.2-1ubuntu0.11.3.8-21.3.9-11.3.9-1ubuntu0.11.3.10-31.3.10-3build11.3.10-3ubuntu0.11.3.9-11.0.2+ds1-11.0.3+ds1-11.0.3+ds1-1ubuntu11.0.3+ds1-1ubuntu1+esm11.0.3+ds1-1ubuntu1+esm21.0.7+ds1-11.0.7+ds1-1ubuntu0.21.0.7+ds1-1ubuntu0.2+esm11.0.7+ds1-11.1.0+ds1-11.1.0+ds1-1ubuntu11.1.0+ds1-1ubuntu21.1.0+ds1-1ubuntu2.11.1.0+ds1-1ubuntu2.1+esm1Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N