PatchSiren cyber security CVE debrief
CVE-2026-50127 WeblateOrg CVE debrief
CVE-2026-50127 is a MEDIUM severity vulnerability in Weblate, a web-based localization tool. Versions from 5.15 to before 2026.6 are affected due to improper IP range restrictions. The `VCS_RESTRICT_PRIVATE` setting did not correctly account for certain IPv6 transitional ranges, multicast addresses, and semi-private IPv4 ranges. This oversight allowed some addresses to bypass private range restrictions. The issue has been resolved in version 2026.6.
- Vendor
- WeblateOrg
- Product
- weblate
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Weblate, especially those using versions between 5.15 and 2026.6, should be aware of this vulnerability. It could potentially allow unauthorized access to Weblate instances.
Technical summary
The vulnerability, with a CVSS score of 5.9, involves Weblate's handling of IP addresses. Specifically, the `VCS_RESTRICT_PRIVATE` setting was not properly enforced for certain IP ranges, including some IPv6 transitional ranges, multicast addresses, and semi-private IPv4 ranges. This could allow requests from restricted IP ranges to be processed as if they were from allowed ranges.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Weblate to version 2026.6 or later.
- Review and adjust IP restrictions in Weblate configuration.
Evidence notes
The CVE was published on June 10, 2026, and last modified on the same day. The vulnerability was patched in Weblate version 2026.6.
Official resources
CVE-2026-50127 was published on June 10, 2026, and last modified on the same day.