CVE-2026-41205: Mako: Path traversal via double-slash URI prefix in TemplateLookup

April 16, 2026 (updated April 24, 2026)

TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations:

Template.__init__ strips one leading / using if/slice
TemplateLookup.get_template() strips all leading / using re.sub(r"^\/+", "")

When a URI like //../../../../etc/passwd is passed:

get_template() strips all / → ../../../../etc/passwd → file found via posixpath.join(dir_, u)
Template.__init__ strips one / → /../../../../etc/passwd → normpath → /etc/passwd
/etc/passwd.startswith(..) → False → check bypassed

References

Code Behaviors & Features

Detect and mitigate CVE-2026-41205 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →