CVE-2026-24126

Summary

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

Affected Software

VendorProductVersion RangeStatus
WeblateOrgweblate< 5.16.0affected

Weaknesses

  • CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References