Weblate vulnerabilities

CVE-2026-34242 [HIGH] CWE-200 Weblate: Arbitrary File Read via Symlink Weblate: Arbitrary File Read via Symlink ### Impact The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository. ### Patches * https://github.com/WeblateOrg/weblate/pull/18683 ### References Thanks to @DavidCarliez for reporting this vulnerability via GitHub.

CVE-2026-33435 [HIGH] CWE-23 Weblate: Remote code execution during backup restoration Weblate: Remote code execution during backup restoration ### Impact The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances. ### Patches * https://github.com/WeblateOrg/weblate/pull/18549 ### Workarounds The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the

CVE-2026-34393 [HIGH] CWE-269 Weblate: Privilege escalation in the user API endpoint Weblate: Privilege escalation in the user API endpoint ### Impact The user patching API endpoint didn't properly limit the scope of edits. ### Patches * https://github.com/WeblateOrg/weblate/pull/18687 ### References Thanks to @tikket1 and @DavidCarliez for reporting this via GitHub. We received two individual reports for this.

CVE-2026-40256 [MEDIUM] CWE-22 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision ### Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path share

CVE-2026-33440 [MEDIUM] CWE-918 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads ### Impact The ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. ### Patches * https://github.com/WeblateOrg/weblate/pull/18550 ### References This issue was reported by @spbavarva via GitHub.

CVE-2026-39845 [MEDIUM] CWE-918 Weblate: SSRF via the webhook add-on using unprotected fetch_url() Weblate: SSRF via the webhook add-on using unprotected fetch_url() ### Impact The webhook add-on did not utilize existing SSRF protection. ### Patches * https://github.com/WeblateOrg/weblate/pull/18815 ### Workarounds Disabling the add-on would avoid misusing this. ### References Thanks to @Lihfdgjr for reporting this via GitHub.

CVE-2026-33214 [MEDIUM] CWE-862 Weblate: Improper access control for the translation memory in API Weblate: Improper access control for the translation memory in API ### Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. ### Patches * https://github.com/WeblateOrg/weblate/pull/18513 ### Workarounds Blocking access to `/api/memory/` in the HTTP server removes access to this feature. ### References This issue was reported by [ggamno](

CVE-2026-34244 [MEDIUM] CWE-200 Weblate: SSRF via Project-Level Machinery Configuration Weblate: SSRF via Project-Level Machinery Configuration ### Impact A user with the `project.edit` permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back

CVE-2026-33220 [MEDIUM] CWE-200 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository ### Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. ### Patches * https://github.com/WeblateOrg/weblate/pull/18516 ### Workarounds The CDN add-on is not enabled by default. ### References Thanks to @sp

CVE-2026-33212 [LOW] CWE-284 Weblate: Improper access control for pending tasks in API Weblate: Improper access control for pending tasks in API ### Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. ### Patches * https://github.com/WeblateOrg/weblate/pull/18515 ### Workarounds The attacker needs to guess the random UUID of the task, so exploiting this is unlikely with the defaul

CVE-2026-27457 [MEDIUM] CWE-200 CVE-2026-27457: Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`w Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve

CVE-2026-24126 [CRITICAL] CWE-88 CVE-2026-24126: Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not valida Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

CVE-2026-21889 [LOW] CWE-284 CVE-2026-21889: Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directl Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.

CVE-2025-68398 [CRITICAL] CWE-20 CVE-2025-68398: Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

CVE-2025-68279 [MEDIUM] CWE-22 CVE-2025-68279: Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbit Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.

CVE-2025-67715 [MEDIUM] CWE-284 CVE-2025-67715: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve use Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

CVE-2025-67492 [MEDIUM] CWE-1286 CVE-2025-67492: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repo Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

CVE-2025-66407 [MEDIUM] CWE-352 CVE-2025-66407: Weblate is a web based localization tool. The Create Component functionality in Weblate allows autho Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to su

CVE-2025-64725 [LOW] CWE-286 CVE-2025-64725: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an in Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.

CVE-2025-64326 [LOW] CWE-212 CVE-2025-64326: Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.