Skip to main content

Weblate CVE-2022-24710

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2022-02-25 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 25, 2022 - 21:15 nvd
MEDIUM 5.4

DescriptionNVD

Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.

AnalysisAI

Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic. Affected products include: Weblate. Version information: prior to 4.11.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-61587 MEDIUM POC
6.1 Oct 01

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter o

CVE-2026-34393 HIGH
8.8 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limi

CVE-2022-23915 HIGH
8.8 Mar 04

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when u

CVE-2026-33435 HIGH
8.0 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial

CVE-2026-34242 HIGH
7.7 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded f

CVE-2026-21889 HIGH
7.5 Jan 14

Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabli

CVE-2026-33220 MEDIUM
6.8 Apr 15

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpo

CVE-2026-24126 MEDIUM
6.6 Feb 19

Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS

CVE-2025-32021 LOW POC
2.2 Apr 15

Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Pub

CVE-2026-50127 MEDIUM
5.9 Jun 10

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassin

CVE-2017-5537 MEDIUM
5.3 Mar 15

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email addres

CVE-2024-39303 MEDIUM
5.4 Jul 01

Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,

Share

CVE-2022-24710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy