Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1129

NIXPKGS-2026-1129

GitHub issue published on

Permalink CVE-2026-34242

7.7 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 8 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
8 packages
- python314Packages.weblate-language-data
- python313Packages.weblate-language-data
- python314Packages.weblate-schemas
- python313Packages.weblate-schemas
- python312Packages.weblate-schemas
- python314Packages.weblate-fonts
- python312Packages.weblate-language-data
- python313Packages.weblate-fonts
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse published on GitHub 8 hours ago

Weblate: Arbitrary File Read via Symlink

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397 x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3 x_refsource_MISC

Affected products

weblate

==< 5.17

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

nixos-unstable 5.16.2
- nixpkgs-unstable 5.16.2
- nixos-unstable-small 5.16.2
nixos-25.11 5.15.1
- nixos-25.11-small 5.15.1
- nixpkgs-25.11-darwin 5.15.1

Ignored packages (8)

pkgs.python313Packages.weblate-fonts

Weblate fonts collection

nixos-unstable 2026.1
- nixpkgs-unstable 2026.1
- nixos-unstable-small 2026.1

pkgs.python314Packages.weblate-fonts

Weblate fonts collection

nixos-unstable 2026.1
- nixpkgs-unstable 2026.1
- nixos-unstable-small 2026.1

pkgs.python312Packages.weblate-schemas

Schemas used by Weblate

nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python313Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6
nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python314Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6

pkgs.python312Packages.weblate-language-data

Language definitions used by Weblate

nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python313Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.7
- nixpkgs-unstable 2026.7
- nixos-unstable-small 2026.7
nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python314Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.7
- nixpkgs-unstable 2026.7
- nixos-unstable-small 2026.7

Package maintainers

@erictapen Kerstin Humm <kerstin@erictapen.name>