CVE-2026-24126: Weblate has an argument injection in management console

February 17, 2026 (updated February 19, 2026)

The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add.

References

github.com/WeblateOrg/weblate
github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd
github.com/WeblateOrg/weblate/pull/17722
github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47
github.com/advisories/GHSA-33fm-6gp7-4p47
nvd.nist.gov/vuln/detail/CVE-2026-24126

Code Behaviors & Features

Detect and mitigate CVE-2026-24126 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →