CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

10 matches found

Github Security Blog•added 2026/04/30 5:28 p.m.•6 views

Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Impact An authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo URL pointing at a private address e.g. http://127.0.0.1:999...

8.1CVSS5.2AI score0.00021EPSS

Exploits0References8Affected Software1

Snyk•added 2026/04/30 5:28 p.m.•2 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the ProjectBackup restore path in the backup import code. An attacker can supply a crafted project...

8.1CVSS5.8AI score0.00021EPSS

Exploits0References2

SUSE CVE•added 2026/04/16 11:28 p.m.•2 views

SUSE CVE-2026-33435

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update...

8CVSS6.4AI score0.00114EPSS

Exploits0References3

CVE•added 2026/04/15 6:13 p.m.•5 views

CVE-2026-33435

Weblate: Remote code execution during project backup restoration in versions prior to 5.17 due to backups not filtering Git/Mercurial config files. Fixed in 5.17. Remediation: upgrade to 5.17+ or restrict access to backups (backups are only accessible to users who can create projects).

8CVSS6.4AI score0.00114EPSS

Exploits0References2Affected Software1

RedhatCVE•added 2026/01/09 9:3 a.m.•1 views

CVE-2024-39303

Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a...

5.4CVSS6.8AI score0.00436EPSS

Exploits0References1

EUVD•added 2025/10/03 8:7 p.m.•2 views

EUVD-2024-2373

Malicious code in bioql PyPI...

5.4CVSS6.4AI score0.00436EPSS

Exploits0References4

Vulnrichment•added 2024/07/01 6:46 p.m.•17 views

CVE-2024-39303 Weblate vulnerabler to improper sanitization of project backups

4.4CVSS6.9AI score0.00436EPSS

Exploits0References2

NVD•added 2014/01/09 6:7 p.m.•7 views

CVE-2014-0752

The SCADA server in Ecava IntegraXor before 4.1.4369 allows remote attackers to read arbitrary project backup files via a crafted URL...

7.5CVSS6.6AI score0.02562EPSS

Exploits0References3

CVE•added 2014/01/09 11:0 a.m.•48 views

CVE-2014-0752

The CVE-2014-0752 case concerns Ecava IntegraXor SCADA server prior to 4.1.4369, where the project directory contains files that can be downloaded via a crafted URL due to improper access control. This leads to disclosure of project backup files (partial confidentiality impact) and is exploitable...

7.5CVSS6.8AI score0.02562EPSS

Exploits0References3Affected Software1