CVE-2026-39845Server-Side Request Forgery in Weblate

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
4.1MEDIUMNVD
EPSS
0.0%
top 99.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weblateorg WeblateWeblate
Timeline
PublishedApr 15
Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:NExploitability: 2.3 | Impact: 1.4

Affected Packages2 packages

PyPIweblate/weblate< 5.17
CVEListV5weblateorg/weblate< 5.17

🔴Vulnerability Details

2
VulDB
weblate up to 5.16 Webhook Add-on server-side request forgery (GHSA-f8hv-g549-hwg2)2026-04-16
GHSA
Weblate: SSRF via the webhook add-on using unprotected fetch_url()2026-04-16