HIGHCVE-2026-34242Published 2026-04-15Modified 2026-04-15CNA GitHub_M

CVE-2026-34242: Weblate: Arbitrary File Read via Symlink

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

WeblateOrg / weblate
< 5.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397
https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3

Metrics