Medium severity4.3NVD Advisory· Published Apr 15, 2026· Updated Apr 21, 2026

CVE-2026-33214

Description

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
weblatePyPI	< 5.17	5.17

Affected products

Weblate/Weblate
cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Range: <5.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WeblateOrg/weblate/pull/18513nvdIssue TrackingPatchWEB
github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75rnvdMitigationPatchVendor AdvisoryWEB
github.com/advisories/GHSA-mpf5-3vph-q75rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33214ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000