{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24126", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.473Z", "datePublished": "2026-02-18T23:05:03.478Z", "dateUpdated": "2026-02-19T17:13:53.353Z"}, "containers": {"cna": {"title": "Weblate has an argument injection in management console", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47"}, {"name": "https://github.com/WeblateOrg/weblate/pull/17722", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/17722"}, {"name": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:05:03.478Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}], "source": {"advisory": "GHSA-33fm-6gp7-4p47", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:13:05.858607Z", "id": "CVE-2026-24126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:13:53.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:13:05.858607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:13:47.745Z"}}], "cna": {"title": "Weblate has an argument injection in management console", "source": {"advisory": "GHSA-33fm-6gp7-4p47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.16.0"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/17722", "name": "https://github.com/WeblateOrg/weblate/pull/17722", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "name": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T23:05:03.478Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24126", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:13:53.353Z", "dateReserved": "2026-01-21T18:38:22.473Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-18T23:05:03.478Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DFDA177-B23B-4767-A647-969D44EA60D9", "versionEndExcluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console."}, {"lang": "es", "value": "Weblate es una herramienta de localizaci\u00f3n basada en web. Antes de la 5.16.0, la consola de administraci\u00f3n SSH no validaba la entrada proporcionada al a\u00f1adir la clave de host SSH, lo que podr\u00eda conducir a una inyecci\u00f3n de argumentos en `ssh-add`. La versi\u00f3n 5.16.0 corrige el problema. Como soluci\u00f3n alternativa, se recomienda limitar adecuadamente el acceso a la consola de administraci\u00f3n."}], "id": "CVE-2026-24126", "lastModified": "2026-02-19T18:34:57.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-02-19T00:16:21.483", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://github.com/WeblateOrg/weblate/pull/17722"}, {"source": "[email protected]", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "[email protected]", "type": "Primary"}]}

{}