Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-24126
6.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): LOW
Activity log
- Created suggestion
Weblate has an argument injection in management console
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
References
-
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47 x_refsource_CONFIRM
-
https://github.com/WeblateOrg/weblate/pull/17722 x_refsource_MISC
Affected products
weblate
- ==< 5.16.0
Matching in nixpkgs
pkgs.weblate
Web based translation tool with tight version control integration
pkgs.python312Packages.weblate-schemas
Schemas used by Weblate
pkgs.python313Packages.weblate-schemas
Schemas used by Weblate
pkgs.python314Packages.weblate-schemas
Schemas used by Weblate
pkgs.python312Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python313Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python314Packages.weblate-language-data
Language definitions used by Weblate
Package maintainers
-
@erictapen Kerstin Humm <kerstin@erictapen.name>