CVE-2026-34242

High

Published: 15 April 2026

Published

15 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0001 3.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34242 is a high-severity Path Traversal (CWE-22) vulnerability in Weblate Weblate. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to system resources, preventing the ZIP download feature from following symlinks to unauthorized files outside the repository.

SI-10 Information Input Validation good match

prevent

Validates file paths and symlink resolutions during ZIP archive generation to block path traversal and exposure of sensitive information.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation, including installation of the Weblate 5.17 patch that fixes the unverified symlink following in ZIP downloads.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability (via symlink following) in the ZIP download feature directly enables an authenticated attacker to retrieve arbitrary sensitive files (configuration, user data, system info) from the local system, mapping to T1005 Data from Local System.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

Deeper analysisAI

CVE-2026-34242 affects Weblate, a web-based localization tool, in versions prior to 5.17. The vulnerability resides in the ZIP download feature, which fails to verify downloaded files and can follow symbolic links (symlinks) outside the intended repository. This path traversal issue, mapped to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-59 (Improper Link Resolution Before File Access), and CWE-200 (Exposure of Sensitive Information), has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

An attacker with low-privilege access (PR:L), such as a registered user on the Weblate instance, can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting symlinks that point to sensitive files outside the repository, the attacker triggers the ZIP download to include unauthorized data, resulting in high confidentiality impact (C:H) across a changed scope (S:C), such as exposing configuration files, user data, or system information without affecting integrity or availability.

The issue was addressed in Weblate version 5.17, as detailed in the project's GitHub security advisory (GHSA-hv99-mxm5-q397) and the fixing commit (5db3a2a2e047ecaab627a8731cd744a30b2f51d3). Security practitioners should upgrade to 5.17 or later and review access controls for ZIP download features in similar tools.