Description
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.
Published: 2026-06-10
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weblate, a web‑based localization platform, contained an SSRF flaw in the VCS_RESTRICT_PRIVATE guard. From version 5.15 up to, but excluding, version 2026.6, the guard failed to treat several transitional IPv6 ranges, multicast addresses, and some semi‑private IPv4 ranges as private, allowing an attacker to supply a malicious URL that causes Weblate to perform outbound requests to otherwise blocked internal addresses and potentially expose internal services or sensitive data. This flaw is a classic example of CWE‑918 (Server‑Side Request Forgery).

Affected Systems

The vulnerability affects Weblate deployments of any version between 5.15 and prior to 2026.6. The affected vendor is WeblateOrg and the product is Weblate. Administrators using these legacy releases should verify whether VCS is enabled and whether internal address restrictions are required.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Attackers would likely need authenticated access to configure or trigger VCS operations that resolve external URLs. In the absence of public exploits, the threat remains limited to internal network abuse, but organizations relying on strict outbound filtering should treat this as a moderate‑to‑high risk until patched.

Generated by OpenCVE AI on June 10, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 2026.6 or later to apply the fix that corrects the URL guard.
  • Review and restrict VCS‑related configuration to prevent Weblate from accessing internal resources; consider disabling VCS_RESTRICT_PRIVATE if no VCS integration is needed.
  • Enable logging of outbound HTTP requests and monitor for unexpected internal URLs to detect potential misuse.

Generated by OpenCVE AI on June 10, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.
Title Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:56:37.829Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50127

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T20:17:29.427

Modified: 2026-06-10T20:21:20.207

Link: CVE-2026-50127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:30:36Z

Weaknesses