CVE-2026-40256: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WeblateOrg weblate
CVE-2026-40256 is a path traversal vulnerability in Weblate versions prior to 5. 17. The issue arises because repository-boundary validation uses string prefix checks on absolute paths without being path-segment aware. This allows bypassing the restriction when an external path shares the same string prefix as the repository path, potentially enabling access outside the intended directory. The vulnerability has been fixed in Weblate version 5. 17. The CVSS score is 5. 0, indicating a medium severity level.
AI Analysis
Technical Summary
Weblate before version 5.17 performs repository-boundary validation by checking if resolved absolute paths start with the repository root path using a simple string prefix check. This method is not path-segment aware, meaning that paths with similar prefixes (e.g., 'repo' and 'repo_outside') can bypass the check. This improper limitation of a pathname to a restricted directory (CWE-22) can allow unauthorized access to files outside the repository boundary. The issue was addressed and fixed in version 5.17 of Weblate.
Potential Impact
An attacker with at least low privileges (PR:L) can exploit this vulnerability remotely (AV:N) without user interaction (UI:N) to access files outside the intended repository directory. The impact is limited to partial confidentiality loss (C:L), with no integrity or availability impact. This could lead to unauthorized disclosure of sensitive information stored outside the repository.
Mitigation Recommendations
A fix for this vulnerability is available in Weblate version 5.17. Users should upgrade to version 5.17 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade availability from the official Weblate project resources before applying. Patch status is not yet confirmed from a vendor advisory; check the vendor's official channels for current remediation guidance.
CVE-2026-40256: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WeblateOrg weblate
Description
CVE-2026-40256 is a path traversal vulnerability in Weblate versions prior to 5. 17. The issue arises because repository-boundary validation uses string prefix checks on absolute paths without being path-segment aware. This allows bypassing the restriction when an external path shares the same string prefix as the repository path, potentially enabling access outside the intended directory. The vulnerability has been fixed in Weblate version 5. 17. The CVSS score is 5. 0, indicating a medium severity level.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Weblate before version 5.17 performs repository-boundary validation by checking if resolved absolute paths start with the repository root path using a simple string prefix check. This method is not path-segment aware, meaning that paths with similar prefixes (e.g., 'repo' and 'repo_outside') can bypass the check. This improper limitation of a pathname to a restricted directory (CWE-22) can allow unauthorized access to files outside the repository boundary. The issue was addressed and fixed in version 5.17 of Weblate.
Potential Impact
An attacker with at least low privileges (PR:L) can exploit this vulnerability remotely (AV:N) without user interaction (UI:N) to access files outside the intended repository directory. The impact is limited to partial confidentiality loss (C:L), with no integrity or availability impact. This could lead to unauthorized disclosure of sensitive information stored outside the repository.
Mitigation Recommendations
A fix for this vulnerability is available in Weblate version 5.17. Users should upgrade to version 5.17 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade availability from the official Weblate project resources before applying. Patch status is not yet confirmed from a vendor advisory; check the vendor's official channels for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfe0a382d89c981f8dff9e
Added to database: 4/15/2026, 7:01:55 PM
Last enriched: 4/15/2026, 7:17:24 PM
Last updated: 4/15/2026, 8:03:42 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.