CVE-2026-34244
Description
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weblatePyPI | < 5.17 | 5.17 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/WeblateOrg/weblate/commit/e619e9090202e4886b844c110d39308e7e882c0envdPatchWEB
- github.com/WeblateOrg/weblate/security/advisories/GHSA-xrwr-fcw6-fmq8nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-xrwr-fcw6-fmq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34244ghsaADVISORY
- github.com/WeblateOrg/weblate/pull/18684ghsaWEB
News mentions
0No linked articles in our index yet.