Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Weblate ZIP downloads may extract malicious files
CVE-2026-34242
GHSA-hv99-mxm5-q397
Summary
Weblate's ZIP download feature in older versions didn't check files for safety, which could allow attackers to extract malicious code or content. This issue has been fixed in version 5.17, so update to the latest version to stay secure. If you can't update yet, be cautious when opening ZIP files from Weblate.
What to do
- Update weblate to version 5.17.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | weblate |
< 5.17 Fix: upgrade to 5.17
|
Original title
Weblate: Arbitrary File Read via Symlink
Original description
### Impact
The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18683
### References
Thanks to @DavidCarliez for reporting this vulnerability via GitHub.
The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18683
### References
Thanks to @DavidCarliez for reporting this vulnerability via GitHub.
nvd CVSS3.1
7.7
Vulnerability type
CWE-22
Path Traversal
CWE-59
Link Following
CWE-200
Information Exposure
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 15 Apr 2026