Skip to main content

Weblate CVE-2026-50127

| EUVDEUVD-2026-36113 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-10 GitHub_M GHSA-vmfc-9982-2m45
5.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

PR:L assigned because configuring VCS repository URLs in Weblate requires at minimum authenticated project-member access; AC:H retained because NAT64 host configuration is a prerequisite for the primary exploit path.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 21:16 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 20:31 vuln.today
Analysis Generated
Jun 10, 2026 - 20:31 vuln.today

DescriptionCVE.org

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

AnalysisAI

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

Weblate's outbound URL guard in weblate/utils/outbound.py relied on Python's ipaddress.IPv6Address.is_global to classify whether a resolved IP address is safe for outbound connection. CWE-918 (Server-Side Request Forgery) applies: the root cause is incomplete sanitization of attacker-controlled network destinations. Python's is_global classifies the NAT64 well-known prefix 64:ff9b::/96 (RFC 6052) as globally routable, but on hosts with NAT64 translation configured the kernel routes these packets to the IPv4 address embedded in the last 32 bits, enabling a private-address bypass. The same logic flaw applied to: 6to4 addresses (2002::/16, RFC 3056, encodes IPv4 in bits 16-47), IPv4-compatible addresses (::N.N.N.N/96, deprecated by RFC 4291 but still routable on some hosts), multicast ranges (IPv4 224.0.0.0/4, IPv6 ff00::/8), 6to4 relay anycast (192.88.99.0/24), ORCHIDv2 (2001:20::/28), and IPv6 Segment Routing (5f00::/16). The fix in PR #19768 adds an _unwrap_ipv6_transition helper that recursively resolves the embedded IPv4 address before the is_global check, and adds explicit blocklist logic for special-use prefixes not covered by is_global. CPE cpe:2.3:a:weblateorg:weblate:*:*:*:*:*:*:*:* covers all affected versions.

RemediationAI

The vendor-released patch is Weblate version 2026.6, available at https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6; administrators should upgrade immediately. The fix is contained in weblate/utils/outbound.py and adds recursive IPv6 transition address unwrapping plus extended special-use prefix blocking. If immediate upgrade is not feasible, the most reliable compensating control is network-layer egress filtering on the Weblate host: block outbound connections from the Weblate process to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16 and fe80::/10), and their IPv6 counterparts (fc00::/7, ::1/128), as well as the NAT64 prefix 64:ff9b::/96 and 6to4 range 2002::/16. This firewall-level restriction operates independently of application validation and cannot be bypassed by address encoding. Trade-off: overly broad egress rules may break legitimate VCS integrations with on-premises repositories; test against your repository network topology before applying. Do not treat VCS_RESTRICT_PRIVATE alone as a sufficient SSRF mitigation on affected versions.

CVE-2025-61587 MEDIUM POC
6.1 Oct 01

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter o

CVE-2026-34393 HIGH
8.8 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limi

CVE-2022-23915 HIGH
8.8 Mar 04

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when u

CVE-2026-33435 HIGH
8.0 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial

CVE-2026-34242 HIGH
7.7 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded f

CVE-2026-21889 HIGH
7.5 Jan 14

Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabli

CVE-2026-33220 MEDIUM
6.8 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpo

CVE-2026-24126 MEDIUM
6.6 Feb 19

Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS

CVE-2025-32021 LOW POC
2.2 Apr 15

Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Pub

CVE-2017-5537 MEDIUM
5.3 Mar 15

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email addres

CVE-2024-39303 MEDIUM
5.4 Jul 01

Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,

CVE-2022-24710 MEDIUM
5.4 Feb 25

Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerab

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-50127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy