Description
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
Published: 2026-02-18
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Argument Injection
Action: Immediate Patch
AI Analysis

Impact

Weblate’s SSH management console fails to validate user input when adding an SSH host key, allowing an attacker to inject arbitrary arguments to the underlying ssh-add command. This argument injection can grant the attacker the ability to execute unintended commands within the context of the Weblate application, thereby exposing the host system to remote code execution. The weakness is classified as CWE‑88.

Affected Systems

All releases of Weblate by WeblateOrg that are older than version 5.16.0 are affected. No specific patch versions are listed; any instance running before the 5.16.0 release is vulnerable.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity. The EPSS score is reported as less than 1 %, showing a very low probability of exploitation, and the vulnerability is not currently listed in the KEV catalog. Exploitation requires authenticated access to the Weblate SSH management console, as the injection occurs through the console’s input handling. Because the vulnerability is tied to a feature that is not commonly exposed, the attack vector is limited, but the potential impact remains significant if an attacker gains access to the console.

Generated by OpenCVE AI on April 17, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.16.0 or later to apply the vendor‑provided fix.
  • Restrict access to the SSH management console so that only trusted, privileged users can add SSH keys, using network boundaries or role‑based permissions.
  • Monitor Weblate logs for anomalous ssh‑add commands or unexpected changes to host keys, and investigate any suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33fm-6gp7-4p47 Weblate has an argument injection in management console
History

Thu, 19 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 18 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
Title Weblate has an argument injection in management console
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:13:53.353Z

Reserved: 2026-01-21T18:38:22.473Z

Link: CVE-2026-24126

cve-icon Vulnrichment

Updated: 2026-02-19T17:13:47.745Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T00:16:21.483

Modified: 2026-02-19T18:34:57.413

Link: CVE-2026-24126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses