Cyber Resilience

CVE-2026-24126

Medium

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0045 35.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-24126 is a medium-severity Argument Injection (CWE-88) vulnerability in Weblate Weblate. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24126 is an argument injection vulnerability in Weblate, a web-based localization tool. Prior to version 5.16.0, the SSH management console fails to validate user input when adding an SSH host key, allowing injection of arguments into the `ssh-add` command. This issue is classified under CWE-88 and carries a CVSS v3.1 base score of 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).

The vulnerability can be exploited by a high-privileged user (PR:H) with network access to the Weblate instance who can interact with the SSH management console. By supplying malicious input during SSH host key addition, an attacker can inject arguments into `ssh-add`, potentially leading to arbitrary command execution within the context of the Weblate process. This results in low impacts to confidentiality, integrity, and availability, but with a changed scope (S:C) that may affect related components or the broader system.

Weblate version 5.16.0 addresses the issue through input validation in the SSH management console, as detailed in the project's security advisory (GHSA-33fm-6gp7-4p47), associated pull request (#17722), and fixing commit (78773cc141ce0a97900c11341e6cf856451395fd). As a workaround, administrators should restrict access to the management console.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue.…

more

As a workaround, properly limit access to the management console.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Argument injection in Weblate's public-facing SSH console directly enables exploitation of a web application (T1190) to achieve arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68398Same product: Weblate Weblate
CVE-2026-21889Same product: Weblate Weblate
CVE-2026-33435Same product: Weblate Weblate
CVE-2026-34393Same product: Weblate Weblate
CVE-2026-34242Same product: Weblate Weblate
CVE-2026-45158Shared CWE-88
CVE-2026-25134Shared CWE-88
CVE-2026-40281Shared CWE-88
CVE-2026-44193Shared CWE-88
CVE-2026-22582Shared CWE-88

Affected Assets

weblate
weblate
≤ 5.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input to the SSH host-key form, blocking the argument injection into ssh-add that enables the CWE-88 flaw.

prevent

Enforces access-control policy on the management console so that only authorized administrators can reach the vulnerable SSH host-key function.

prevent

Limits the set of users granted the high privileges needed to interact with the SSH management console, reducing the population that can exploit the injection.

References