ALAS2-2026-3333

Amazon Linux 2 Security Advisory: ALAS2-2026-3333
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Medium

References: CVE-2026-41205
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11. (CVE-2026-41205)

Affected Packages:

python-mako

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-mako or yum update --advisory ALAS2-2026-3333 to update your system.

New Packages:

noarch:
    python-mako-0.8.1-2.amzn2.0.2.noarch

src:
    python-mako-0.8.1-2.amzn2.0.2.src

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-41205

Mitre: CVE-2026-41205