{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40256", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.787Z", "datePublished": "2026-04-15T18:36:44.975Z", "dateUpdated": "2026-04-15T18:36:44.975Z"}, "containers": {"cna": {"title": "Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh"}, {"name": "https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:36:44.975Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17."}], "source": {"advisory": "GHSA-ffgh-3jrf-8wvh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17."}], "id": "CVE-2026-40256", "lastModified": "2026-04-15T19:16:37.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:37.470", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T22:11:26.941582+00:00", "value": {"mitigation_remediation": ["Apply Weblate version 5.17 or later to install the upstream fix.", "If upgrading is not immediately possible, audit all repository paths and remove any symbolic links or junctions that share a string prefix with the repository root; avoid creating such paths in the future.", "Review the repository\u2011boundary validation logic to ensure it is path\u2011segment aware; if necessary, apply the manual patch referenced by commit e30dbcb33ae78e754ecef192d54f996b89cb4e15 or equivalent code changes."], "summary": {"action": "Upgrade", "impact": "Unauthorized file access"}, "threat_synthesis": {"affected_systems": "The flaw affects all Weblate installations running a version older than 5.17. Weblate versions 5.17 and newer contain a fix that makes the boundary check path\u2011segment aware.", "description_and_impact": "In Weblate releases before version 5.17, a repository\u2011boundary validation uses a simple string prefix check on resolved absolute paths. This check is not aware of individual path segments, allowing an attacker to create a symbolic link or junction whose external path starts with the same string as the repository root (e.g., \"repo\" and \"repo_outside\"). When such a path is resolved, the validation incorrectly accepts it as located within the repository, potentially exposing files that are outside the intended repository scope to the attacker. The vulnerability can compromise confidentiality by granting read access to arbitrary files stored on the server where Weblate is deployed.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5, indicating medium severity. No EPSS score is available, and the issue is not listed in CISA\u2019s KEV catalog. While the exact exploitation probability is uncertain, the required action of creating a symlink or junction suggests that the attack vector is local or trusted\u2011user based, but could be leveraged remotely if an attacker gains permission to modify repository configurations or upload content. The risk is therefore moderate, emphasizing that the side effect is data exposure rather than code execution or denial of service."}}}}, "created": "2026-04-15T22:15:15.709033+00:00", "updated": "2026-04-15T22:15:15.709045+00:00", "vendors": []}