Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1902

NIXPKGS-2026-1902
published 14 hours ago
Weblate: security issues < 2026.6
Permalink CVE-2026-50127
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    6 packages
    • python313Packages.weblate-fonts
    • python314Packages.weblate-fonts
    • python313Packages.weblate-schemas
    • python314Packages.weblate-schemas
    • python313Packages.weblate-language-data
    • python314Packages.weblate-language-data
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

Affected products

weblate
  • ==>= 5.15, < 2026.6

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

  • nixos-unstable 5.17
    • nixpkgs-unstable 5.17
    • nixos-unstable-small 5.17
  • nixos-26.05 5.17
    • nixos-26.05-small 5.17
    • nixpkgs-26.05-darwin 5.17
Ignored packages (6)

Package maintainers

Permalink CVE-2026-45106
4.6 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    6 packages
    • python313Packages.weblate-fonts
    • python314Packages.weblate-fonts
    • python313Packages.weblate-schemas
    • python314Packages.weblate-schemas
    • python313Packages.weblate-language-data
    • python314Packages.weblate-language-data
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Weblate: Stored HTML injection in editor search preview

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5.

Affected products

weblate
  • ==< 2026.5

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

  • nixos-unstable 5.17
    • nixpkgs-unstable 5.17
    • nixos-unstable-small 5.17
  • nixos-26.05 5.17
    • nixos-26.05-small 5.17
    • nixpkgs-26.05-darwin 5.17
Ignored packages (6)

Package maintainers