Cyber Posture

CVE-2026-24126

Medium

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0001 2.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24126 is a medium-severity Argument Injection (CWE-88) vulnerability in Weblate Weblate. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Argument injection in Weblate's public-facing SSH console directly enables exploitation of a web application (T1190) to achieve arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue.…

more

As a workaround, properly limit access to the management console.

Deeper analysisAI

CVE-2026-24126 is an argument injection vulnerability in Weblate, a web-based localization tool. Prior to version 5.16.0, the SSH management console fails to validate user input when adding an SSH host key, allowing injection of arguments into the `ssh-add` command. This issue is classified under CWE-88 and carries a CVSS v3.1 base score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).

The vulnerability can be exploited by a high-privileged user (PR:H) with network access to the Weblate instance who can interact with the SSH management console. By supplying malicious input during SSH host key addition, an attacker can inject arguments into `ssh-add`, potentially leading to arbitrary command execution within the context of the Weblate process. This results in low impacts to confidentiality, integrity, and availability, but with a changed scope (S:C) that may affect related components or the broader system.

Weblate version 5.16.0 addresses the issue through input validation in the SSH management console, as detailed in the project's security advisory (GHSA-33fm-6gp7-4p47), associated pull request (#17722), and fixing commit (78773cc141ce0a97900c11341e6cf856451395fd). As a workaround, administrators should restrict access to the management console.

Details

CWE(s)
CWE-88

Affected Products

weblate
weblate
≤ 5.16

CVEs Like This One

CVE-2026-21889Same product: Weblate Weblate
CVE-2025-68398Same product: Weblate Weblate
CVE-2026-33435Same product: Weblate Weblate
CVE-2026-34242Same product: Weblate Weblate
CVE-2026-34393Same product: Weblate Weblate
CVE-2026-25134Shared CWE-88
CVE-2026-27947Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-2298Shared CWE-88

References