CVE-2026-24126

MEDIUM

Weblate <5.16.0 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24126. PoCs published by alexb616.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-24126, which leverages an argument injection vulnerability in Weblate's SSH key management endpoint to achieve arbitrary file read. The exploit authenticates as an admin, injects the `-f` flag into the `host` parameter, and extracts file contents from error messages.

Description

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

Exploits (1)

nomisec WORKING POC 1 stars
by alexb616 · poc
https://github.com/alexb616/Weblate-CVE-2026-24126

The repository contains a functional Python exploit for CVE-2026-24126, which leverages an argument injection vulnerability in Weblate's SSH key management endpoint to achieve arbitrary file read. The exploit authenticates as an admin, injects the `-f` flag into the `host` parameter, and extracts file contents from error messages.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Weblate (self-hosted instances) ≤ 5.15.2
Auth required
Prerequisites: Weblate administrator credentials · Network access to the Weblate instance
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.6
EPSS 0.0001
EPSS Percentile 2.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-88
Status published
Products (2)
pypi/Weblate 0 - 5.16.0PyPI
weblate/weblate < 5.16
Published Feb 19, 2026
Tracked Since Feb 19, 2026