CVE Catalog

CVE-2026-50127

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.

Risk Assessment

Organizations may be exposed to unauthorized access to resources as some addresses could bypass private range restrictions. This could lead to potential security breaches.

Recommendation

It is recommended to update Weblate to version 2026.6 to patch this vulnerability and ensure proper restrictions for address ranges.

Original NVD description (English source)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS