{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-50127","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-03T18:49:32.275Z","datePublished":"2026-06-10T19:56:37.829Z","dateUpdated":"2026-06-11T14:09:55.504Z"},"containers":{"cna":{"title":"Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)","problemTypes":[{"descriptions":[{"cweId":"CWE-918","lang":"en","description":"CWE-918: Server-Side Request Forgery (SSRF)","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45","tags":["x_refsource_CONFIRM"],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45"},{"name":"https://github.com/WeblateOrg/weblate/pull/19768","tags":["x_refsource_MISC"],"url":"https://github.com/WeblateOrg/weblate/pull/19768"},{"name":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6","tags":["x_refsource_MISC"],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6"}],"affected":[{"vendor":"WeblateOrg","product":"weblate","versions":[{"version":">= 5.15, < 2026.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-10T19:56:37.829Z"},"descriptions":[{"lang":"en","value":"Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6."}],"source":{"advisory":"GHSA-vmfc-9982-2m45","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-11T14:09:46.736772Z","id":"CVE-2026-50127","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-11T14:09:55.504Z"}}]}}