MEDIUM 6.6 PyPI
Weblate has an argument injection in management console
GHSA-33fm-6gp7-4p47 · CVE-2026-24126
Published · Modified
Description
Impact
The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add.
Patches
Workarounds
Properly limit access to the management console.
References
This issue was reported to us by alexb_616 via HackerOne.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-24126
- WEB https://github.com/WeblateOrg/weblate/pull/17722
- WEB https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd
- PACKAGE https://github.com/WeblateOrg/weblate
Ready to move
Start Securing
Free, no credit card | First findings in minutes