5 matches found
CVE-2026-27457
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...
CVE-2026-27457
Weblate CVE-2026-27457 records a missing access control in the AddonViewSet: before 5.16.1, the REST API uses Addon.objects.all() without proper get_queryset scoping, allowing any authenticated user (or anonymous if REQUIRE_LOGIN is not set) to list or retrieve all addons across projects via GET ...
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...