Vendor CVEs
Weblateorg
All CVEs
38 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34393 | Hig | 0.50 | 8.8 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17. | ||
| CVE-2026-41654 | Hig | 0.46 | 8.1 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/.json… | ||
| CVE-2026-33435 | Hig | 0.45 | 8.0 | 0.01 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable… | ||
| CVE-2026-34242 | Hig | 0.43 | 7.7 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17. | ||
| CVE-2026-33220 | Med | 0.37 | 6.8 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can… | ||
| CVE-2026-50127 | Med | 0.31 | 5.9 | 0.00 | Jun 10, 2026 | Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private… | ||
| CVE-2017-5537 | Med | 0.28 | 5.3 | 0.02 | Mar 15, 2017 | The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests. | ||
| CVE-2026-42150 | Med | 0.26 | 5.1 | 0.00 | May 8, 2026 | wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in… | ||
| CVE-2026-40256 | Med | 0.26 | 5.0 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and… | ||
| CVE-2026-34244 | Med | 0.26 | 5.0 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration… | ||
| CVE-2026-33440 | Med | 0.26 | 5.0 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17. | ||
| CVE-2026-45106 | Med | 0.23 | 4.6 | 0.00 | Jun 10, 2026 | Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every… | ||
| CVE-2026-44264 | Med | 0.21 | 4.3 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | ||
| CVE-2026-44263 | Med | 0.21 | 4.3 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | ||
| CVE-2026-33214 | Med | 0.21 | 4.3 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work… | ||
| CVE-2026-41519 | Med | 0.20 | 4.2 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been… | ||
| CVE-2026-39845 | Med | 0.20 | 4.1 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround. | ||
| CVE-2026-33212 | Low | 0.13 | 3.1 | 0.00 | Apr 15, 2026 | Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of… | ||
| CVE-2026-27457 | 0.00 | — | 0.00 | Feb 26, 2026 | Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user… | |||
| CVE-2026-24126 | 0.00 | — | 0.00 | Feb 18, 2026 | Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access… | |||
| CVE-2026-23535 | 0.00 | — | 0.00 | Jan 16, 2026 | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. | |||
| CVE-2026-21889 | 0.00 | — | 0.00 | Jan 14, 2026 | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in… | |||
| CVE-2026-22251 | 0.00 | — | 0.00 | Jan 12, 2026 | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | |||
| CVE-2026-22250 | 0.00 | — | 0.00 | Jan 12, 2026 | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | |||
| CVE-2025-68398 | 0.00 | — | 0.00 | Dec 18, 2025 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | |||
| CVE-2025-68279 | 0.00 | — | 0.00 | Dec 18, 2025 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | |||
| CVE-2025-67715 | 0.00 | — | 0.00 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | |||
| CVE-2025-67492 | 0.00 | — | 0.00 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this… | |||
| CVE-2025-66407 | 0.00 | — | 0.00 | Dec 15, 2025 | Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the… | |||
| CVE-2025-64725 | 0.00 | — | 0.00 | Dec 15, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | |||
| CVE-2025-64326 | 0.00 | — | 0.00 | Nov 6, 2025 | Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users.… | |||
| CVE-2025-61587 | 0.00 | — | 0.00 | Oct 1, 2025 | Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a… | |||
| CVE-2025-58352 | 0.00 | — | 0.00 | Sep 4, 2025 | Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in… | |||
| CVE-2025-49134 | 0.00 | — | 0.00 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12. | |||
| CVE-2025-47951 | 0.00 | — | 0.00 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has… | |||
| CVE-2025-32021 | 0.00 | — | 0.00 | Apr 15, 2025 | Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for… | |||
| CVE-2024-39303 | 0.00 | — | 0.00 | Jul 1, 2024 | Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate… | |||
| CVE-2022-24710 | 0.00 | — | 0.01 | Feb 25, 2022 | Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The… |
- risk 0.50cvss 8.8epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
- risk 0.46cvss 8.1epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/.json…
- risk 0.45cvss 8.0epss 0.01
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable…
- risk 0.43cvss 7.7epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.
- risk 0.37cvss 6.8epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can…
- risk 0.31cvss 5.9epss 0.00
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private…
- risk 0.28cvss 5.3epss 0.02
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
- risk 0.26cvss 5.1epss 0.00
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in…
- risk 0.26cvss 5.0epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and…
- risk 0.26cvss 5.0epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration…
- risk 0.26cvss 5.0epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.
- risk 0.23cvss 4.6epss 0.00
Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every…
- risk 0.21cvss 4.3epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
- risk 0.21cvss 4.3epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
- risk 0.21cvss 4.3epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work…
- risk 0.20cvss 4.2epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been…
- risk 0.20cvss 4.1epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.
- risk 0.13cvss 3.1epss 0.00
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of…
- CVE-2026-27457Feb 26, 2026risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user…
- CVE-2026-24126Feb 18, 2026risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access…
- CVE-2026-23535Jan 16, 2026risk 0.00cvss —epss 0.00
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
- CVE-2026-21889Jan 14, 2026risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in…
- CVE-2026-22251Jan 12, 2026risk 0.00cvss —epss 0.00
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
- CVE-2026-22250Jan 12, 2026risk 0.00cvss —epss 0.00
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
- CVE-2025-68398Dec 18, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
- CVE-2025-68279Dec 18, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
- CVE-2025-67715Dec 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
- CVE-2025-67492Dec 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this…
- CVE-2025-66407Dec 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the…
- CVE-2025-64725Dec 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
- CVE-2025-64326Nov 6, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users.…
- CVE-2025-61587Oct 1, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a…
- CVE-2025-58352Sep 4, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in…
- CVE-2025-49134Jun 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
- CVE-2025-47951Jun 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has…
- CVE-2025-32021Apr 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for…
- CVE-2024-39303Jul 1, 2024risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate…
- CVE-2022-24710Feb 25, 2022risk 0.00cvss —epss 0.01
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The…