CVE-2026-50127 PUBLISHED

Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

Assigner: GitHub_M
Reserved: 03.06.2026 Published: 10.06.2026 Updated: 11.06.2026

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WeblateOrg
Product	weblate
Versions	Version >= 5.15, < 2026.6 is affected

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45
https://github.com/WeblateOrg/weblate/pull/19768
https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE