PT-2026-20549 · Weblate · Weblate

Alexb616

Published

2026-02-17

Updated

2026-02-24

CVE-2026-24126

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.16.0

Description Weblate is a web-based localization tool. The SSH management console did not validate input when adding an SSH host key, potentially leading to an argument injection into the ssh-add function. This could allow for unauthorized command execution.

Recommendations Versions prior to 5.16.0: Upgrade to version 5.16.0 or later. Versions prior to 5.16.0: Properly limit access to the management console.

Exploit

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

CVE-2026-24126

GHSA-33FM-6GP7-4P47

Affected Products

Weblate

PT-2026-20549 · Weblate · Weblate

CVE-2026-24126

Weakness Enumeration

Related Identifiers

Affected Products

References · 13