PYSEC-2026-2040

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2040.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2040
Aliases
Published
2026-07-07T16:03:13.529903Z
Modified
2026-07-07T17:47:55.600139755Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Weblate has an arbitrary file read via symbolic links
Details

Impact

It was possible to read arbitrary files from the server file system using crafted symbolic links in the repository.

Resources

Thanks to Jason Marcello for responsible disclosure.

References

Affected packages

PyPI / weblate

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.1

Affected versions

1.*
1.9
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20
3.*
3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3
4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1
4.11
4.11.1
4.11.2
4.12
4.12.1
4.12.2
4.13
4.13.1
4.14
4.14.1
4.14.2
4.15
4.15.1
4.15.2
4.16
4.16.1
4.16.2
4.16.3
4.16.4
4.17
4.18
4.18.1
4.18.2
5.*
5.0
5.0.1
5.0.2
5.1
5.1.1
5.2
5.2.1
5.3
5.3.1
5.4
5.4.1
5.4.2
5.4.3
5.5
5.5.2
5.5.3
5.5.4
5.5.5
5.6
5.6.1
5.6.2
5.7
5.7.1
5.7.2
5.8.1
5.8.2
5.8.3
5.8.4
5.9.1
5.9.2
5.10
5.10.1
5.10.2
5.10.3
5.10.4
5.11
5.11.1
5.11.3
5.11.4
5.12.1
5.12.2
5.13
5.13.1
5.13.2
5.13.3
5.14
5.14.1
5.14.2
5.14.3
5.15

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2040.yaml"