GHSA-vmfc-9982-2m45MediumCVSS 5.9
Weblate SSRF: outbound URL guard misses some private ranges
🔗 CVE IDs covered (1)
📋 Description
Impact
Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.
Patches
- https://github.com/WeblateOrg/weblate/pull/19768
Resources
The issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.
🎯 Affected products1
- pip/weblate:>= 5.15, < 2026.6