GHSA-vmfc-9982-2m45MediumCVSS 5.9

Weblate SSRF: outbound URL guard misses some private ranges

Published
July 7, 2026
Last Modified
July 7, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19768

Resources

The issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.

🎯 Affected products1

  • pip/weblate:>= 5.15, < 2026.6

🔗 References (5)