Weblateorg Weblate vulnerabilities

CVE-2026-33435 [HIGH] CWE-23 CVE-2026-33435: Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filte Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by res

CVE-2026-34393 [HIGH] CWE-269 CVE-2026-34393: Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

CVE-2026-34242 [HIGH] CWE-22 CVE-2026-34242: Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.

CVE-2026-33440 [MEDIUM] CWE-918 CVE-2026-33440: Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setti Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

CVE-2026-40256 [MEDIUM] CWE-22 CVE-2026-40256: Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the

CVE-2026-33220 [MEDIUM] CWE-22 CVE-2026-33220: Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API expo Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

CVE-2026-39845 [MEDIUM] CWE-918 CVE-2026-39845: Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not util Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

CVE-2026-34244 [MEDIUM] CWE-200 CVE-2026-34244: Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit pe Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL

CVE-2026-33214 [MEDIUM] CWE-862 CVE-2026-33214: Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API expo Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server,

CVE-2026-33212 [LOW] CWE-284 CVE-2026-33212: Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify use Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. Th

CVE-2026-27457 [MEDIUM] CWE-200 CVE-2026-27457: Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`w Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve

CVE-2026-24126 [CRITICAL] CWE-88 CVE-2026-24126: Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not valida Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

CVE-2026-21889 [LOW] CWE-284 CVE-2026-21889: Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directl Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.

CVE-2025-68398 [CRITICAL] CWE-20 CVE-2025-68398: Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

CVE-2025-68279 [MEDIUM] CWE-22 CVE-2025-68279: Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbit Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.

CVE-2025-67492 [MEDIUM] CWE-1286 CVE-2025-67492: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repo Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

CVE-2025-66407 [MEDIUM] CWE-352 CVE-2025-66407: Weblate is a web based localization tool. The Create Component functionality in Weblate allows autho Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to su

CVE-2025-67715 [MEDIUM] CWE-284 CVE-2025-67715: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve use Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

CVE-2025-64725 [LOW] CWE-286 CVE-2025-64725: Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an in Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.

CVE-2025-64326 [LOW] CWE-212 CVE-2025-64326: Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.