PyPI package
weblate
pkg:pypi/weblate
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67492 | — | < 5.15 | 5.15 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vuln | ||
| CVE-2025-64725 | — | < 5.15 | 5.15 | Dec 15, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | ||
| CVE-2025-64326 | — | < 5.14.1 | 5.14.1 | Nov 6, 2025 | Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. Thi | ||
| CVE-2025-58352 | — | < 5.13.1 | 5.13.1 | Sep 4, 2025 | Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in vers | ||
| CVE-2025-49134 | — | < 5.12 | 5.12 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12. | ||
| CVE-2025-47951 | — | < 5.12 | 5.12 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has b | ||
| CVE-2025-32021 | — | < 5.11 | 5.11 | Apr 15, 2025 | Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, | ||
| CVE-2024-39303 | — | >= 4.14, < 5.6.2 | 5.6.2 | Jul 1, 2024 | Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5. | ||
| CVE-2022-23915 | — | < 4.11.1 | 4.11.1 | Mar 4, 2022 | The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution. | ||
| CVE-2022-24710 | — | < 4.11 | 4.11 | Feb 25, 2022 | Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The is | ||
| CVE-2017-5537 | Med | 5.3 | < 2.10.1 | 2.10.1 | Mar 15, 2017 | The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests. |
- CVE-2025-67492Dec 16, 2025affected < 5.15fixed 5.15
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vuln
- CVE-2025-64725Dec 15, 2025affected < 5.15fixed 5.15
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
- CVE-2025-64326Nov 6, 2025affected < 5.14.1fixed 5.14.1
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. Thi
- CVE-2025-58352Sep 4, 2025affected < 5.13.1fixed 5.13.1
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in vers
- CVE-2025-49134Jun 16, 2025affected < 5.12fixed 5.12
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
- CVE-2025-47951Jun 16, 2025affected < 5.12fixed 5.12
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has b
- CVE-2025-32021Apr 15, 2025affected < 5.11fixed 5.11
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example,
- CVE-2024-39303Jul 1, 2024affected >= 4.14, < 5.6.2fixed 5.6.2
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.
- CVE-2022-23915Mar 4, 2022affected < 4.11.1fixed 4.11.1
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
- CVE-2022-24710Feb 25, 2022affected < 4.11fixed 4.11
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The is
- affected < 2.10.1fixed 2.10.1
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
Page 2 of 2