Skip to main content

Weblate

24 CVEs product

Monthly

CVE-2026-50127 PyPI MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

SSRF Weblate Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40256 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17.

Path Traversal Weblate
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-39845 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

SSRF Weblate
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-34393 PyPI HIGH PATCH GHSA This Week

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

Privilege Escalation Weblate
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-34244 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.

Information Disclosure SSRF Weblate
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-34242 PyPI HIGH PATCH GHSA This Week

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

Path Traversal Weblate
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-33440 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

SSRF Weblate
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-33435 PyPI HIGH PATCH GHSA This Week

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

RCE Weblate
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-33220 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Path Traversal Weblate
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-33214 PyPI MEDIUM PATCH GHSA This Month

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.

Authentication Bypass Weblate
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33212 PyPI LOW PATCH GHSA Monitor

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.

Authentication Bypass Weblate
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-27457 PyPI MEDIUM PATCH This Month

Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Information Disclosure Weblate Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24126 PyPI MEDIUM PATCH This Month

Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).

SSH Weblate Suse
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-21889 PyPI HIGH PATCH This Week

Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.

Authentication Bypass Weblate Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-64326 PyPI LOW PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

Information Disclosure Weblate
NVD GitHub
CVSS 3.1
2.6
EPSS
0.0%
CVE-2025-61587 PyPI MEDIUM POC PATCH This Month

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.

Open Redirect Debian Weblate Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-58352 PyPI LOW PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

Information Disclosure Weblate
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-49134 PyPI MEDIUM PATCH This Month

A security vulnerability in Weblate (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Debian Weblate Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-47951 PyPI MEDIUM PATCH This Month

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

Information Disclosure Debian Weblate Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-32021 PyPI LOW POC PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Docker Weblate
NVD GitHub
CVSS 3.1
2.2
EPSS
0.3%
CVE-2024-39303 PyPI MEDIUM PATCH This Month

Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Weblate
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-23915 PyPI HIGH PATCH This Week

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Weblate
NVD GitHub
CVSS 3.1
8.8
EPSS
2.9%
CVE-2022-24710 PyPI MEDIUM PATCH This Month

Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Weblate
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2017-5537 PyPI MEDIUM PATCH This Month

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Weblate
NVD GitHub
CVSS 3.0
5.3
EPSS
0.5%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

SSRF Weblate Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside). This issue has been fixed in version 5.17.

Path Traversal Weblate
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

SSRF Weblate
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

Privilege Escalation Weblate
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.

Information Disclosure SSRF Weblate
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

Path Traversal Weblate
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

SSRF Weblate
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

RCE Weblate
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Path Traversal Weblate
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.

Authentication Bypass Weblate
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.

Authentication Bypass Weblate
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Information Disclosure Weblate Suse
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).

SSH Weblate Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabling unauthenticated attackers to retrieve sensitive screenshots by predicting their filenames. This improper access control flaw affects all users whose screenshot content should be restricted. A patch is available in version 5.15.2 and later.

Authentication Bypass Weblate Suse
NVD GitHub
EPSS 0% CVSS 2.6
LOW PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

Information Disclosure Weblate
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.

Open Redirect Debian Weblate +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

Information Disclosure Weblate
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A security vulnerability in Weblate (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Debian Weblate +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

Information Disclosure Debian Weblate +1
NVD GitHub
EPSS 0% CVSS 2.2
LOW POC PATCH Monitor

Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Nginx Information Disclosure Docker +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Weblate
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Weblate
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Weblate
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Weblate
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy