GHSA-33fm-6gp7-4p47

Source

https://github.com/advisories/GHSA-33fm-6gp7-4p47

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-33fm-6gp7-4p47/GHSA-33fm-6gp7-4p47.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-33fm-6gp7-4p47

Aliases

CVE-2026-24126

Published

2026-02-17T16:37:55Z

Modified

2026-02-18T23:56:35.018648Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Weblate has an argument injection in management console

Details

Impact

The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add.

Patches

https://github.com/WeblateOrg/weblate/pull/17722

Workarounds

Properly limit access to the management console.

References

This issue was reported to us by alexb_616 via HackerOne.

Database specific

{
    "github_reviewed_at": "2026-02-17T16:37:55Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-88"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

PyPI / weblate

Package

Name: weblate; View open source insights on deps.dev
Purl: pkg:pypi/weblate

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.16.0

Affected versions

1.*

1.9

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.10.1

2.11

2.12

2.13

2.13.1

2.14

2.14.1

2.15

2.16

2.17

2.17.1

2.18

2.19

2.19.1

2.20

3.*

3.0

3.0.1

3.1

3.1.1

3.2

3.2.1

3.2.2

3.3

3.4

3.5

3.5.1

3.6

3.6.1

3.7

3.7.1

3.8

3.9

3.9.1

3.10

3.10.1

3.10.2

3.10.3

3.11

3.11.1

3.11.2

3.11.3

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1

4.1.1

4.2

4.2.1

4.2.2

4.3

4.3.1

4.3.2

4.4

4.4.1

4.4.2

4.5

4.5.1

4.5.2

4.5.3

4.6

4.6.1

4.6.2

4.7

4.7.1

4.7.2

4.8

4.8.1

4.9

4.9.1

4.10

4.10.1

4.11

4.11.1

4.11.2

4.12

4.12.1

4.12.2

4.13

4.13.1

4.14

4.14.1

4.14.2

4.15

4.15.1

4.15.2

4.16

4.16.1

4.16.2

4.16.3

4.16.4

4.17

4.18

4.18.1

4.18.2

5.*

5.0

5.0.1

5.0.2

5.1

5.1.1

5.2

5.2.1

5.3

5.3.1

5.4

5.4.1

5.4.2

5.4.3

5.5

5.5.2

5.5.3

5.5.4

5.5.5

5.6

5.6.1

5.6.2

5.7

5.7.1

5.7.2

5.8.1

5.8.2

5.8.3

5.8.4

5.9.1

5.9.2

5.10

5.10.1

5.10.2

5.10.3

5.10.4

5.11

5.11.1

5.11.3

5.11.4

5.12.1

5.12.2

5.13

5.13.1

5.13.2

5.13.3

5.14

5.14.1

5.14.2

5.14.3

5.15

5.15.1

5.15.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-33fm-6gp7-4p47/GHSA-33fm-6gp7-4p47.json"