CVE-2026-50127

Published: Jun 10, 2026Modified: Jun 10, 2026Deferred

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/WeblateOrg/weblate/pull/19768

Source: security-advisories@github.com

https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6

Source: security-advisories@github.com

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45

Source: security-advisories@github.com

Timeline

No history available yet.