CVE-2026-34242 | THREATINT

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-15 | Updated 2026-04-15 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 5.17

affected

References

github.com/...eblate/security/advisories/GHSA-hv99-mxm5-q397

github.com/...ommit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3

cve.org (CVE-2026-34242)

nvd.nist.gov (CVE-2026-34242)

Download JSON