Weblate ZIP Feature Exposes Systems to Symlink Traversal

The National Vulnerability Database (NVD) has flagged CVE-2026-34242, a high-severity vulnerability (CVSS 7.7) affecting Weblate, a popular web-based localization tool. Prior to version 5.17, the ZIP download functionality in Weblate failed to properly validate downloaded files. This oversight allowed for potential symlink traversal, meaning an attacker could craft a malicious ZIP archive that, when processed, would enable the application to follow symbolic links outside its intended repository.

This flaw, categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-59 (Improper Link Resolution), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), essentially creates a backdoor for information disclosure. An attacker with the ability to upload or influence the processing of a malicious ZIP file could potentially read sensitive files located elsewhere on the server. Weblate has addressed this critical issue in version 5.17, patching the vulnerability to ensure proper file verification during ZIP downloads.