CVE-2025-69162 WordPress Grecko theme <= 5.17 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Grecko = 5.17 versions...

CVE-2026-33214

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

CVE-2026-33440

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWEDASSETDOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17...

CVE-2026-39845

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

CVE-2026-34393

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17...

CVE-2026-33435

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update...

CVE-2026-44264

Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...

CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown

Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1...

CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change

Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cyclesessionkeys", but DRF API tokens "wlu" prefix stored in "authtokentoken" are not revoked. This issue has been patched in version 5.17.1...

SUSE CVE-2026-33214

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

SUSE CVE-2026-33435

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update...

SUSE CVE-2026-33440

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWEDASSETDOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17...

SUSE CVE-2026-34242

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17...

EUVD-2026-23018

Weblate: SSRF via the webhook add-on using unprotected fetchurl...

EUVD-2026-23005

Weblate: Privilege escalation in the user API endpoint...

EUVD-2026-23003

Weblate: Arbitrary File Read via Symlink...

Symlink Attack

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Symlink Attack in the ZIP download. An attacker can access arbitrary files outside the intended repository by exploiting symlink traversal...

EUVD-2026-23002

Weblate: Authenticated SSRF via redirect bypass of ALLOWEDASSETDOMAINS in screenshot URL uploads...

Arbitrary File Upload

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Arbitrary File Upload in the backup restoration, due to insufficient filtering of configuration files. An attacker with access to create...

EUVD-2026-22999

Weblate: Improper access control for the translation memory in API...