Launch Week Day 1: Announcing Security Design Review

Weblate: Arbitrary File Read via Symlink

GHSA-hv99-mxm5-q397 · CVE-2026-34242

Published Apr 16, 2026 · Modified Apr 16, 2026

Description

Impact

The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.

Patches

https://github.com/WeblateOrg/weblate/pull/18683

References

Thanks to @DavidCarliez for reporting this vulnerability via GitHub.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes