Primary

Context

Weblate ZIP Download Feature Symlink Follow Vulnerability Allowing Arbitrary File Read

Vulnerability

Patched

A vulnerability in Weblate's ZIP download feature, present in versions prior to 5.17, allowed downloaded files to be unverified, potentially following symlinks to locations outside the repository. This issue could lead to arbitrary file read vulnerabilities.

Impact

Exploitation of this vulnerability could result in arbitrary file read, with the potential to access files outside of the intended directory.

Reproduction

The vulnerability can be reproduced by creating a symlinked file outside of the repository and linking it within the component's directory. When the ZIP file is downloaded, the unverified symlink will be followed, allowing access to the file outside the repository.

Remediation

Users can update to Weblate version 5.17 or later, where this vulnerability has been fixed.

Added: Apr 15, 2026, 7:48 PM

Updated: Apr 15, 2026, 7:48 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.8

exploitability

5.8

remediation

7.7

relevance

6.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.8

exploitability

5.8

remediation

7.7

relevance

6.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Weblate ZIP Download Feature Symlink Follow Vulnerability Allowing Arbitrary File Read

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Weblate

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating