rpm package
opensuse/weblate&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/weblate&distro=openSUSE%20Tumbleweed
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-50127 | Med | 5.9 | < 5.17.1-2.1 | 5.17.1-2.1 | Jun 10, 2026 | Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private r | |
| CVE-2026-45106 | Med | 4.6 | < 5.17.1-2.1 | 5.17.1-2.1 | Jun 10, 2026 | Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every use | |
| CVE-2026-44264 | Med | 4.3 | < 5.17.1-1.1 | 5.17.1-1.1 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | |
| CVE-2026-44263 | Med | 4.3 | < 5.17.1-1.1 | 5.17.1-1.1 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | |
| CVE-2026-41654 | Hig | 8.1 | < 5.17.1-1.1 | 5.17.1-1.1 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/.json contain | |
| CVE-2026-41519 | Med | 4.2 | < 5.17.1-1.1 | 5.17.1-1.1 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patch | |
| CVE-2026-27457 | — | < 5.16.1-1.1 | 5.16.1-1.1 | Feb 26, 2026 | Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user | ||
| CVE-2026-21889 | — | < 5.16-1.1 | 5.16-1.1 | Jan 14, 2026 | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.1 | ||
| CVE-2025-68398 | — | < 5.14.3-2.1 | 5.14.3-2.1 | Dec 18, 2025 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | ||
| CVE-2025-64326 | — | < 5.14.3-1.1 | 5.14.3-1.1 | Nov 6, 2025 | Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. Thi | ||
| CVE-2025-61587 | — | < 5.13.3-1.1 | 5.13.3-1.1 | Oct 1, 2025 | Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a | ||
| CVE-2025-32021 | — | < 5.11.3-1.1 | 5.11.3-1.1 | Apr 15, 2025 | Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, | ||
| CVE-2024-39303 | — | < 5.6.2-1.1 | 5.6.2-1.1 | Jul 1, 2024 | Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5. | ||
| CVE-2022-24710 | — | < 4.11-1.1 | 4.11-1.1 | Feb 25, 2022 | Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The is | ||
| CVE-2020-6802 | — | < 4.8.1-1.1 | 4.8.1-1.1 | Mar 24, 2020 | In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. |
- affected < 5.17.1-2.1fixed 5.17.1-2.1
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private r
- affected < 5.17.1-2.1fixed 5.17.1-2.1
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every use
- affected < 5.17.1-1.1fixed 5.17.1-1.1
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
- affected < 5.17.1-1.1fixed 5.17.1-1.1
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
- affected < 5.17.1-1.1fixed 5.17.1-1.1
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/.json contain
- affected < 5.17.1-1.1fixed 5.17.1-1.1
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patch
- CVE-2026-27457Feb 26, 2026affected < 5.16.1-1.1fixed 5.16.1-1.1
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user
- CVE-2026-21889Jan 14, 2026affected < 5.16-1.1fixed 5.16-1.1
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.1
- CVE-2025-68398Dec 18, 2025affected < 5.14.3-2.1fixed 5.14.3-2.1
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
- CVE-2025-64326Nov 6, 2025affected < 5.14.3-1.1fixed 5.14.3-1.1
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. Thi
- CVE-2025-61587Oct 1, 2025affected < 5.13.3-1.1fixed 5.13.3-1.1
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a
- CVE-2025-32021Apr 15, 2025affected < 5.11.3-1.1fixed 5.11.3-1.1
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example,
- CVE-2024-39303Jul 1, 2024affected < 5.6.2-1.1fixed 5.6.2-1.1
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.
- CVE-2022-24710Feb 25, 2022affected < 4.11-1.1fixed 4.11-1.1
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The is
- CVE-2020-6802Mar 24, 2020affected < 4.8.1-1.1fixed 4.8.1-1.1
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.