CVE-2026-34244Sensitive Information Exposure in Weblate

CWE-200Sensitive Information ExposureCWE-918Server-Side Request Forgery3 documents3 sources
Severity
5.0MEDIUMNVD
EPSS
0.0%
top 93.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weblateorg WeblateWeblate
Timeline
PublishedApr 15
Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) wi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

PyPIweblate/weblate< 5.17
CVEListV5weblateorg/weblate< 517

🔴Vulnerability Details

2
VulDB
weblate up to 5.16 Error Message WEBLATE_MACHINERY server-side request forgery (GHSA-xrwr-fcw6-fmq8)2026-04-16
GHSA
Weblate: SSRF via Project-Level Machinery Configuration2026-04-16