Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-34242
7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Activity log
- Created suggestion
Weblate: Arbitrary File Read via Symlink
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.
References
Affected products
weblate
- ==< 5.17
Matching in nixpkgs
pkgs.weblate
Web based translation tool with tight version control integration
pkgs.python313Packages.weblate-fonts
Weblate fonts collection
pkgs.python314Packages.weblate-fonts
Weblate fonts collection
pkgs.python312Packages.weblate-schemas
Schemas used by Weblate
pkgs.python313Packages.weblate-schemas
Schemas used by Weblate
pkgs.python314Packages.weblate-schemas
Schemas used by Weblate
pkgs.python312Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python313Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python314Packages.weblate-language-data
Language definitions used by Weblate
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@erictapen Kerstin Humm <kerstin@erictapen.name>