MEDIUM 6.6

GHSA-33fm-6gp7-4p47

Weblate has an argument injection in management console

Details

### Impact The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`.

### Patches * https://github.com/WeblateOrg/weblate/pull/17722

### Workarounds Properly limit access to the management console.

### References This issue was reported to us by [alexb_616](https://hackerone.com/alexb_616) via HackerOne.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate

Introduced in: 0 Fixed in: 5.16.0

Fix pip install --upgrade 'weblate>=5.16.0'

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-24126 [ADVISORY]
https://github.com/WeblateOrg/weblate/pull/17722 [WEB]
https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd [WEB]
https://github.com/WeblateOrg/weblate [PACKAGE]