CVE-2026-50127

Description

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

WeblateOrg / weblate>= 5.15, < 2026.6 – >= 5.15, < 2026.6

References

VENDOR_ADVISORYhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45
PATCHhttps://github.com/WeblateOrg/weblate/pull/19768
PATCHhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6