ALAS2023-2026-1846

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1846
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22

Severity: Medium

References: CVE-2026-41205
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11. (CVE-2026-41205)

Affected Packages:

python-mako

Issue Correction:
Run dnf update python-mako --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1846 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    python-mako-doc-1.1.4-3.amzn2023.0.4.noarch
    python3-mako-1.1.4-3.amzn2023.0.4.noarch

src:
    python-mako-1.1.4-3.amzn2023.0.4.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-41205

Mitre: CVE-2026-41205