CVE-2026-40256 — Path Traversal in Weblate

CWE-22 — Path Traversal3 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.0%

top 88.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblateorg Weblate Weblate

Timeline

PublishedApr 15

Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

▶PyPIweblate/weblate< 5.17

▶CVEListV5weblateorg/weblate< 5.17

🔴Vulnerability Details

GHSA

Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision↗2026-04-16

▶

VulDB

weblate up to 5.16 repo_outside path traversal (GHSA-ffgh-3jrf-8wvh)↗2026-04-16

▶