CVE-2026-50127

MEDIUM 5.9

Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

CWE	CWE-918
Vendor	weblateorg
Product	weblate
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for weblateorg weblate

Be the first to know when new medium vulnerabilities affecting weblateorg weblate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

WeblateOrg / weblate

>= 5.15, < 2026.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45 github.com: https://github.com/WeblateOrg/weblate/pull/19768 github.com: https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6