Moderate severityNVD Advisory· Published Feb 18, 2026· Updated Feb 19, 2026
Weblate has an argument injection in management console
CVE-2026-24126
Description
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WeblatePyPI | < 5.16.0 | 5.16.0 |
Affected products
2- Range: < 5.16.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-33fm-6gp7-4p47ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24126ghsaADVISORY
- github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fdghsax_refsource_MISCWEB
- github.com/WeblateOrg/weblate/pull/17722ghsax_refsource_MISCWEB
- github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.