CVE-2026-34242 — Path Traversal in Weblate

CWE-22 — Path Traversal CWE-59 — Link Following CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

7.7HIGHNVD

EPSS

0.0%

top 98.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblateorg Weblate Weblate

Timeline

PublishedApr 15

Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶PyPIweblate/weblate< 5.17

▶CVEListV5weblateorg/weblate< 5.17

🔴Vulnerability Details

GHSA

Weblate: Arbitrary File Read via Symlink↗2026-04-16

▶

VulDB

weblate up to 5.16 path traversal (GHSA-hv99-mxm5-q397)↗2026-04-16

▶