CVE-2026-40256
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
12th
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17.
| CWE | CWE-22 |
| Vendor | weblateorg |
| Product | weblate |
| Published | Apr 15, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for weblateorg weblate
Be the first to know when new medium vulnerabilities affecting weblateorg weblate are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
WeblateOrg / weblate
< 5.17