GHSA-hv99-mxm5-q397

Source

https://github.com/advisories/GHSA-hv99-mxm5-q397

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hv99-mxm5-q397/GHSA-hv99-mxm5-q397.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hv99-mxm5-q397

Aliases

CVE-2026-34242

Published

2026-04-16T20:43:11Z

Modified

2026-04-16T21:03:47.635333Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Weblate: Arbitrary File Read via Symlink

Details

Impact

The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.

Patches

https://github.com/WeblateOrg/weblate/pull/18683

References

Thanks to @DavidCarliez for reporting this vulnerability via GitHub.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-04-15T19:16:35Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-22",
        "CWE-59"
    ],
    "github_reviewed_at": "2026-04-16T20:43:11Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / weblate

Package

Name: weblate; View open source insights on deps.dev
Purl: pkg:pypi/weblate

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.17

Affected versions

1.*

1.9

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.10.1

2.11

2.12

2.13

2.13.1

2.14

2.14.1

2.15

2.16

2.17

2.17.1

2.18

2.19

2.19.1

2.20

3.*

3.0

3.0.1

3.1

3.1.1

3.2

3.2.1

3.2.2

3.3

3.4

3.5

3.5.1

3.6

3.6.1

3.7

3.7.1

3.8

3.9

3.9.1

3.10

3.10.1

3.10.2

3.10.3

3.11

3.11.1

3.11.2

3.11.3

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1

4.1.1

4.2

4.2.1

4.2.2

4.3

4.3.1

4.3.2

4.4

4.4.1

4.4.2

4.5

4.5.1

4.5.2

4.5.3

4.6

4.6.1

4.6.2

4.7

4.7.1

4.7.2

4.8

4.8.1

4.9

4.9.1

4.10

4.10.1

4.11

4.11.1

4.11.2

4.12

4.12.1

4.12.2

4.13

4.13.1

4.14

4.14.1

4.14.2

4.15

4.15.1

4.15.2

4.16

4.16.1

4.16.2

4.16.3

4.16.4

4.17

4.18

4.18.1

4.18.2

5.*

5.0

5.0.1

5.0.2

5.1

5.1.1

5.2

5.2.1

5.3

5.3.1

5.4

5.4.1

5.4.2

5.4.3

5.5

5.5.2

5.5.3

5.5.4

5.5.5

5.6

5.6.1

5.6.2

5.7

5.7.1

5.7.2

5.8.1

5.8.2

5.8.3

5.8.4

5.9.1

5.9.2

5.10

5.10.1

5.10.2

5.10.3

5.10.4

5.11

5.11.1

5.11.3

5.11.4

5.12.1

5.12.2

5.13

5.13.1

5.13.2

5.13.3

5.14

5.14.1

5.14.2

5.14.3

5.15

5.15.1

5.15.2

5.16

5.16.1

5.16.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hv99-mxm5-q397/GHSA-hv99-mxm5-q397.json"