Lucene search
K

14 matches found

OSV
OSV
added 2026/05/05 7:26 p.m.4 views

GHSA-PG4W-G64P-QWHJ gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository

Summary attachments: pocs.zip When Repository::submodules loads submodule metadata, it prefers the worktree .gitmodules file if that path exists. In the current implementation, the path is read with std::fs::read, which follows symlinks. As a result, a repository can present a symlinked .gitmodul...

8.7CVSS6.1AI score
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/04/16 11:28 p.m.4 views

SUSE CVE-2026-40256

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.7AI score0.00324EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:8 p.m.7 views

Directory Traversal

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Directory Traversal in the repository boundary validation, due to reliance on string prefix checks for resolved absolute paths. An attacker...

8.3CVSS6.4AI score0.00324EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/16 9:8 p.m.5 views

EUVD-2026-23019

Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision...

5CVSS5.8AI score0.00324EPSS
Exploits0References4
OSV
OSV
added 2026/04/16 9:8 p.m.6 views

GHSA-FFGH-3JRF-8WVH Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as t...

5CVSS5.8AI score0.00324EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/16 9:8 p.m.8 views

Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as t...

5CVSS5.8AI score0.00324EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.4 views

CVE-2026-40256

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.8AI score0.00324EPSS
Exploits0References1
NVD
NVD
added 2026/04/15 7:16 p.m.4 views

CVE-2026-40256

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS0.00324EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/15 6:36 p.m.8 views

CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.8AI score0.00324EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/15 6:36 p.m.22 views

CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS0.00324EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/15 6:36 p.m.2 views

CVE-2026-40256

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...

5CVSS5.8AI score0.00324EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/15 6:36 p.m.20 views

CVE-2026-40256

Weblate (localization tool) contains a defect in repository-boundary validation prior to version 5.17 where absolute path checks use a simple startswith against the repository root, not path-segment aware. This can be bypassed when an external path shares the same string prefix as the repository ...

5CVSS5.8AI score0.00324EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.9 views

Weblate 安全漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17 contained security vulnerabilities, which were caused by a bypass of the repository boundary validation mechanism, potentially leading to path traversal attacks...

5CVSS5.8AI score0.00324EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.10 views

PT-2026-33125

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17 Description Repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This process is not...

5CVSS5.9AI score0.00324EPSS
Exploits0References9
Rows per page
Query Builder