Nixpkgs security tracker
NIXPKGS-2026-1128
GitHub issue
published on
Permalink
CVE-2026-24126
6.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
ignored
6 packages
- python312Packages.weblate-schemas
- python313Packages.weblate-schemas
- python314Packages.weblate-schemas
- python312Packages.weblate-language-data
- python313Packages.weblate-language-data
- python314Packages.weblate-language-data
- @LeSuisse accepted
- @LeSuisse published on GitHub
Weblate has an argument injection in management console
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.
References
-
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47 x_refsource_CONFIRM
-
https://github.com/WeblateOrg/weblate/pull/17722 x_refsource_MISC
Affected products
weblate
- ==< 5.16.0
Matching in nixpkgs
Ignored packages (6)
pkgs.python312Packages.weblate-schemas
Schemas used by Weblate
pkgs.python313Packages.weblate-schemas
Schemas used by Weblate
pkgs.python314Packages.weblate-schemas
Schemas used by Weblate
pkgs.python312Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python313Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python314Packages.weblate-language-data
Language definitions used by Weblate
Package maintainers
-
@erictapen Kerstin Humm <kerstin@erictapen.name>