{"api_version":"1","generated_at":"2026-04-16T01:22:07+00:00","cve":"CVE-2026-34242","urls":{"html":"https://cve.report/CVE-2026-34242","api":"https://cve.report/api/cve/CVE-2026-34242.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34242","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34242"},"summary":{"title":"Weblate: Arbitrary File Read via Symlink","description":"Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-15 19:16:35","updated_at":"2026-04-15 19:16:35"},"problem_types":["CWE-22","CWE-59","CWE-200","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-59 CWE-59: Improper Link Resolution Before File Access ('Link Following')","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3","name":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397","name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34242","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34242","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"WeblateOrg","product":"weblate","version":"affected < 5.17","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"weblate","vendor":"WeblateOrg","versions":[{"status":"affected","version":"< 5.17"}]}],"descriptions":[{"lang":"en","value":"Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-59","description":"CWE-59: Improper Link Resolution Before File Access ('Link Following')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-15T18:19:59.552Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397","tags":["x_refsource_CONFIRM"],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397"},{"name":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3","tags":["x_refsource_MISC"],"url":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3"}],"source":{"advisory":"GHSA-hv99-mxm5-q397","discovery":"UNKNOWN"},"title":"Weblate: Arbitrary File Read via Symlink"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34242","datePublished":"2026-04-15T18:19:59.552Z","dateReserved":"2026-03-26T16:22:29.034Z","dateUpdated":"2026-04-15T18:19:59.552Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-15 19:16:35","lastModifiedDate":"2026-04-15 19:16:35","problem_types":["CWE-22","CWE-59","CWE-200","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-59 CWE-59: Improper Link Resolution Before File Access ('Link Following')","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34242","Ordinal":"1","Title":"Weblate: Arbitrary File Read via Symlink","CVE":"CVE-2026-34242","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34242","Ordinal":"1","NoteData":"Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17.","Type":"Description","Title":"Weblate: Arbitrary File Read via Symlink"}]}}}