HIGH 7.7

GHSA-hv99-mxm5-q397

Weblate: Arbitrary File Read via Symlink

Details

### Impact

The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.

### Patches

* https://github.com/WeblateOrg/weblate/pull/18683

### References

Thanks to @DavidCarliez for reporting this vulnerability via GitHub.

Enter the version of the package you're using.

Introduced in: 0 Fixed in: 5.17

Fix pip install --upgrade 'weblate>=5.17'