CVE-2026-40256

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17

Description Repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This process is not path-segment aware and can be bypassed when an external path shares the same string prefix as the repository path, such as when one path is named repo and another is repo outside.

Recommendations Update to version 5.17.