CVE-2026-24126
6.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WeblateOrg | weblate | < 5.16.0 | affected |
Weaknesses
- CWE-88: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47
- https://github.com/WeblateOrg/weblate/pull/17722
- https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.