Weblate
CVE-2022-24710
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.
AnalysisAI
Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic. Affected products include: Weblate. Version information: prior to 4.11.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter o
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limi
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when u
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded f
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabli
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpo
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS
Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Pub
Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassin
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email addres
Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today