{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "5.17"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1dd6ea9403d1f266d03e4537a91d6e57c5f6310f"
            },
            {
              "fixed": "5db3a2a2e047ecaab627a8731cd744a30b2f51d3"
            }
          ],
          "repo": "https://github.com/weblateorg/weblate",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-hv99-mxm5-q397"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-200",
      "CWE-22",
      "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34242.json"
  },
  "details": "Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially  following symlinks outside the repository. This issue has been fixed in version 5.17.",
  "id": "CVE-2026-34242",
  "modified": "2026-07-15T01:48:52.114985725Z",
  "published": "2026-04-15T18:19:59.552Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34242.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34242"
    },
    {
      "type": "FIX",
      "url": "https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate: Arbitrary File Read via Symlink"
}