← Back to CVEs
CVE-2026-24126
MEDIUM6.6
Description
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
CVE Details
CVSS v3.1 Score6.6
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionNONE
Published2/19/2026
Last Modified2/19/2026
Sourcenvd
Honeypot Sightings0
Affected Products
weblate:weblate
Weaknesses (CWE)
CWE-88
References
https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd(security-advisories@github.com)
https://github.com/WeblateOrg/weblate/pull/17722(security-advisories@github.com)
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.