Lucene search
K

4 matches found

Github Security Blog
Github Security Blog
added 2026/04/16 9:8 p.m.8 views

Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as t...

5CVSS5.8AI score0.00324EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/04/15 6:36 p.m.24 views

CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS0.00324EPSS
Exploits0References2
OSV
OSV
added 2026/04/15 6:36 p.m.5 views

CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.9AI score0.00324EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/15 6:36 p.m.10 views

CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.8AI score0.00324EPSS
Exploits0References2
Rows per page
Query Builder