GHSA-33fm-6gp7-4p47

Опубликовано: 17 фев. 2026

Источник: github

Github: Прошло ревью

CVSS3: 6.6

Описание

Weblate has an argument injection in management console

Impact

The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add.

Patches

https://github.com/WeblateOrg/weblate/pull/17722

Workarounds

Properly limit access to the management console.

References

This issue was reported to us by alexb_616 via HackerOne.

Ссылки

Пакеты

Наименование

Weblate

pip

Затронутые версииВерсия исправления

< 5.16.0

5.16.0

EPSS

Процентиль: 2%

0.00012

Низкий

6.6 Medium

CVSS3

CVE ID

CVE-2026-24126

Дефекты

CWE-88

Связанные уязвимости

CVE-2026-24126

CVSS3: 6.6

nvd

около 1 месяца назад

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

CVE-2026-24126

CVSS3: 6.6

debian

около 1 месяца назад

Weblate is a web based localization tool. Prior to 5.16.0, the SSH man ...

EPSS

Процентиль: 2%

0.00012

Низкий

6.6 Medium

CVSS3

CVE ID

CVE-2026-24126

Дефекты

CWE-88