EUVD-2026-22997

Weblate: Improper access control for pending tasks in API...

PYSEC-2026-156

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

CVE-2026-34393

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17...

PYSEC-2026-155

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17...

CVE-2026-34242

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17...

CVE-2026-34393

Weblate (web-based localization tool) has a vulnerability in the user patching API endpoint that allows privilege escalation by not properly limiting edit scope in versions prior to 5.17. The issue has been fixed in 5.17. Affected component is the user API endpoint; root cause is insufficient sco...

PYSEC-2026-152

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

PYSEC-2026-152

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

PT-2026-33120

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17...

PT-2026-33122

CVE-2026-34393 Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixe… https://t.co/JEJrafhYzJ...

LogicEval: A Systematic Framework for Evaluating Automated Repair Techniques for Logical Vulnerabilities in Real-World Software

Logical vulnerabilities in software stem from flaws in program logic rather than memory safety, which can lead to critical security failures. Although existing automated program repair techniques primarily focus on repairing memory corruption vulnerabilities, they struggle with logical...

CVE-2026-32251

Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources .xml and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files...

Beyond Content Safety: Real-Time Monitoring for Reasoning Vulnerabilities in Large Language Models

Large language models LLMs increasingly rely on explicit chain-of-thought CoT reasoning to solve complex tasks, yet the safety of the reasoning process itself remains largely unaddressed. Existing work on LLM safety focuses on content safety--detecting harmful, biased, or factually incorrect...

D-SLAMSpoof: An Environment-Agnostic LiDAR Spoofing Attack Using Dynamic Point Cloud Injection

In this work, we introduce Dynamic SLAMSpoof D-SLAMSpoof, a novel attack that compromises LiDAR SLAM even in feature-rich environments. The attack leverages LiDAR spoofing, which injects spurious measurements into LiDAR scans through external laser interference. By designing both spatial injectio...

CVE-2026-26011

navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometrymsgs/PoseWithCovarianceStamped message with extreme covariance values to...

Mageia: Security Advisory (MGASA-2026-0036)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SpyDir: Spy Device Localization through Accurate Direction Finding

Hidden spy cameras have become a great privacy threat recently, as these low-cost, low-power, and small form-factor IoT devices can quietly monitor human activities in the indoor environment without generating any side-channel information. As such, it is difficult to detect and even more...

CVE-2026-21889

CVE-2026-21889 affects the Weblate web-based localization tool. Before version 5.15.2, screenshot images were served directly by the HTTP server without proper access control, potentially allowing an unauthenticated attacker to access screenshots by guessing filenames. This could impact confident...

CVE-2026-21889 Weblate leaks information via screenshots

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2...

CVE-2019-20375

A cross-site scripting XSS vulnerability in Electronic Logbook ELOG 3.1.4 allows remote attackers to inject arbitrary web script or HTML via the value parameter in a localization loc command to elogd.c...