VDB
KO
MEDIUM 5.9

GHSA-vmfc-9982-2m45

Weblate SSRF: outbound URL guard misses some private ranges

Details

### Impact

Weblate's `VCS_RESTRICT_PRIVATE` did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.

### Patches

* https://github.com/WeblateOrg/weblate/pull/19768

### Resources

The issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate
Introduced in: 5.15 Fixed in: 2026.6
Fix pip install --upgrade 'weblate>=2026.6'

References