Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.
The issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.
{
"github_reviewed": true,
"nvd_published_at": "2026-06-10T20:17:29Z",
"cwe_ids": [
"CWE-918"
],
"severity": "MODERATE",
"github_reviewed_at": "2026-07-07T23:46:33Z"
}