CVE-2026-41654
CVE-2026-41654 – Weblate SSRF via project backup import . Weblate before 5.17.1 allows an authenticated user with the project.add permission to import a crafted project backup ZIP. If components/.json contains an attacker-chosen repo URL pointing to a private address (e.g., http://127.0.0.1:9999/...