It was possible to read arbitrary files from the server file system using crafted symbolic links in the repository.
Thanks to Jason Marcello for responsible disclosure.
"https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2040.yaml"