CVE-2026-34242

HIGH

Weblate: Arbitrary File Read via Symlink

Title source: cna

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

References (2)

[X_Refsource_Confirm] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397

[X_Refsource_Misc] https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3

View Writeup ZIP pw:eip

Scores

CVSS v3 7.7

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-200 CWE-22 CWE-59

Status published

Products (3)

pypi/weblate 0 - 5.17PyPI

weblate/weblate < 5.17

WeblateOrg/weblate < 5.17

Published Apr 15, 2026

Tracked Since Apr 16, 2026