{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24126", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.473Z", "datePublished": "2026-02-18T23:05:03.478Z", "dateUpdated": "2026-02-19T17:13:53.353Z"}, "containers": {"cna": {"title": "Weblate has an argument injection in management console", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47"}, {"name": "https://github.com/WeblateOrg/weblate/pull/17722", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/17722"}, {"name": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:05:03.478Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}], "source": {"advisory": "GHSA-33fm-6gp7-4p47", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:13:05.858607Z", "id": "CVE-2026-24126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:13:53.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:13:05.858607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:13:47.745Z"}}], "cna": {"title": "Weblate has an argument injection in management console", "source": {"advisory": "GHSA-33fm-6gp7-4p47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.16.0"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/17722", "name": "https://github.com/WeblateOrg/weblate/pull/17722", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "name": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:05:03.478Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24126", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:13:53.353Z", "dateReserved": "2026-01-21T18:38:22.473Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-18T23:05:03.478Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DFDA177-B23B-4767-A647-969D44EA60D9", "versionEndExcluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}, {"lang": "es", "value": "Weblate es una herramienta de localizaci\u00f3n basada en web. Antes de la 5.16.0, la consola de administraci\u00f3n SSH no validaba la entrada proporcionada al a\u00f1adir la clave de host SSH, lo que podr\u00eda conducir a una inyecci\u00f3n de argumentos en `ssh-add`. La versi\u00f3n 5.16.0 corrige el problema. Como soluci\u00f3n alternativa, se recomienda limitar adecuadamente el acceso a la consola de administraci\u00f3n."}], "id": "CVE-2026-24126", "lastModified": "2026-02-19T18:34:57.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T00:16:21.483", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/WeblateOrg/weblate/pull/17722"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.16.0)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-17T18:21:50.936440+00:00", "value": {"mitigation_remediation": ["Upgrade Weblate to version\u202f5.16.0 or later to apply the vendor\u2011provided fix.", "Restrict access to the SSH management console so that only trusted, privileged users can add SSH keys, using network boundaries or role\u2011based permissions.", "Monitor Weblate logs for anomalous ssh\u2011add commands or unexpected changes to host keys, and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Argument Injection"}, "threat_synthesis": {"affected_systems": "All releases of Weblate by WeblateOrg that are older than version\u202f5.16.0 are affected. No specific patch versions are listed; any instance running before the 5.16.0 release is vulnerable.", "description_and_impact": "Weblate\u2019s SSH management console fails to validate user input when adding an SSH host key, allowing an attacker to inject arbitrary arguments to the underlying ssh-add command. This argument injection can grant the attacker the ability to execute unintended commands within the context of the Weblate application, thereby exposing the host system to remote code execution. The weakness is classified as CWE\u201188.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity. The EPSS score is reported as less than 1\u202f%, showing a very low probability of exploitation, and the vulnerability is not currently listed in the KEV catalog. Exploitation requires authenticated access to the Weblate SSH management console, as the injection occurs through the console\u2019s input handling. Because the vulnerability is tied to a feature that is not commonly exposed, the attack vector is limited, but the potential impact remains significant if an attacker gains access to the console."}}}}, "created": "2026-02-19T10:08:01.355812+00:00", "updated": "2026-04-17T18:30:05.652091+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}