MEDIUM 5.0

GHSA-ffgh-3jrf-8wvh

Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

Details

### Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside).

### Patches * https://github.com/WeblateOrg/weblate/pull/18847

### References Thanks to [m9nx4u](https://hackerone.com/m9nx4u) for reporting this issue via HackerOne.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate

Introduced in: 0 Fixed in: 5.17

Fix pip install --upgrade 'weblate>=5.17'

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-40256 [ADVISORY]
https://github.com/WeblateOrg/weblate/pull/18847 [WEB]
https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15 [WEB]
https://github.com/WeblateOrg/weblate [PACKAGE]