{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-34242","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-26T16:22:29.034Z","datePublished":"2026-04-15T18:19:59.552Z","dateUpdated":"2026-04-15T20:02:06.899Z"},"containers":{"cna":{"title":"Weblate: Arbitrary File Read via Symlink","problemTypes":[{"descriptions":[{"cweId":"CWE-22","lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-59","lang":"en","description":"CWE-59: Improper Link Resolution Before File Access ('Link Following')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397","tags":["x_refsource_CONFIRM"],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397"},{"name":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3","tags":["x_refsource_MISC"],"url":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3"}],"affected":[{"vendor":"WeblateOrg","product":"weblate","versions":[{"version":"< 5.17","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-04-15T18:19:59.552Z"},"descriptions":[{"lang":"en","value":"Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17."}],"source":{"advisory":"GHSA-hv99-mxm5-q397","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-15T19:37:49.486231Z","id":"CVE-2026-34242","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-15T20:02:06.899Z"}}]}}