Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
Weblate Management Console Exposes SSH Host Key Injection Risk
CVE-2026-24126
GHSA-33fm-6gp7-4p47
Summary
The Weblate management console doesn't check user input properly, allowing a malicious user to inject commands that could let them access SSH keys. This could be a security risk if the management console is accessible to unauthorized users. To protect your Weblate installation, limit access to the management console tightly.
What to do
- Update weblate to version 5.16.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | weblate | <= 5.16.0 | 5.16.0 |
| weblate | weblate | <= 5.16 | – |
Original title
Weblate has an argument injection in management console
Original description
### Impact
The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`.
### Patches
* https://github.com/WeblateOrg/weblate/pull/17722
### Workarounds
Properly limit access to the management console.
### References
This issue was reported to us by [alexb_616](https://hackerone.com/alexb_616) via HackerOne.
The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`.
### Patches
* https://github.com/WeblateOrg/weblate/pull/17722
### Workarounds
Properly limit access to the management console.
### References
This issue was reported to us by [alexb_616](https://hackerone.com/alexb_616) via HackerOne.
nvd CVSS3.1
9.1
Vulnerability type
CWE-88
- https://github.com/WeblateOrg/weblate/pull/17722 Issue Tracking
- https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451... Patch
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47 Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24126
- https://github.com/advisories/GHSA-33fm-6gp7-4p47
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026