Platform
python
Component
weblate
Fixed in
5.17.1
5.17
CVE-2026-34242 describes an Arbitrary File Access vulnerability discovered in Weblate. This flaw allows an attacker to download arbitrary files by exploiting insufficient validation within the ZIP download feature, specifically by following symbolic links outside the intended repository directory. The vulnerability impacts Weblate versions from 0.0.0 up to, but not including, version 5.17.0. A patch has been released in version 5.17.0.
The core of this vulnerability lies in the ZIP download feature's failure to properly validate downloaded files and prevent symlink traversal. An attacker can craft a malicious ZIP archive containing symbolic links that point outside the intended repository directory. When a user attempts to download this crafted archive, Weblate will follow these symlinks, potentially exposing sensitive files from other parts of the system. This could include configuration files, source code, or other confidential data. The blast radius depends on the system's configuration and the permissions of the Weblate user, but successful exploitation could lead to significant data breaches and potential system compromise.
CVE-2026-34242 was publicly disclosed on 2026-04-15. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability was reported via GitHub by @DavidCarliez. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the relatively straightforward nature of the attack and the potential for widespread deployment of vulnerable Weblate instances.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34242 is to upgrade Weblate to version 5.17.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting file system access for the Weblate user to only the necessary directories. This can be achieved through file system permissions or access control lists (ACLs). Additionally, monitor Weblate logs for any unusual file access patterns or attempts to access files outside the expected repository directory. While not a direct fix, a Web Application Firewall (WAF) configured to block requests containing suspicious symlink patterns could provide an additional layer of defense.
Actualice Weblate a la versión 5.17 o superior para mitigar la vulnerabilidad. Esta versión corrige la falta de verificación de archivos descargados, evitando que se sigan enlaces simbólicos fuera del repositorio.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34242 is a HIGH severity vulnerability in Weblate allowing attackers to download arbitrary files by exploiting symlink traversal in the ZIP download feature.
You are affected if you are running Weblate versions 0.0.0 through 5.16. Upgrade to 5.17.0 or later to resolve the issue.
Upgrade Weblate to version 5.17.0 or later. As a temporary workaround, restrict the Weblate user's file system access.
There are currently no known public exploits or active campaigns targeting CVE-2026-34242, but the vulnerability's ease of exploitation warrants vigilance.
Refer to the Weblate GitHub repository for details and the patch: https://github.com/WeblateOrg/weblate/pull/18683
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.