Weblate: Arbitrary File Read via Symlink_CVE-2026-34242

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

Basic Information

ID CVE-2026-34242

Source GitHub_M

Published Apr 15, 2026 at 18:19

Affected Product

Vendor WeblateOrg

Product weblate

Version < 5.17

Affected Versions WeblateOrg weblate < 5.17

CWE Classification

CWE-22 CWE-59 CWE-200

References

{
    "lastseen": "",
    "description": "Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17.",
    "published": "2026-04-15T18:19:59.552Z",
    "modified": "2026-04-15T18:19:59.552Z",
    "type": "cve",
    "title": "Weblate: Arbitrary File Read via Symlink",
    "source": "GitHub_M",
    "references": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397\nhttps://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3",
    "id": "CVE-2026-34242",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "WeblateOrg weblate < 5.17",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "weblate",
    "version": "< 5.17",
    "vendor": "WeblateOrg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}