CVE-2026-50127
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.
Risk Assessment
Organizations may be exposed to unauthorized access to resources as some addresses could bypass private range restrictions. This could lead to potential security breaches.
Recommendation
It is recommended to update Weblate to version 2026.6 to patch this vulnerability and ensure proper restrictions for address ranges.
Original NVD description (English source)
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

