Symlink Vulnerability in Weblate Localization Tool
CVE-2026-34242

7.7HIGH

Key Information:

Vendor: Weblateorg
Status: Weblate
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-34242?

Weblate, a web-based localization tool, faced a significant security issue in its ZIP download functionality prior to version 5.17. The vulnerability allowed malicious users to potentially exploit the system by following symlinks that direct outside the intended repository. This oversight could lead to unauthorized access to sensitive files on the server. The issue has been effectively addressed in version 5.17, enhancing the overall security posture of the application by ensuring that downloaded files are properly verified and contained within the designated directory.

Affected Version(s)

weblate < 5.17

References

https://github.com/WeblateOrg/weblate/security/advisories...

x_refsource_CONFIRM

https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34242 Data

JSON

Weblateorg

What is CVE-2026-34242?

Affected Version(s)

References

CVSS V3.1

Timeline