PT-2026-48524

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS RESTRICT PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions...

PT-2025-51315

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.15 Description Weblate is a web-based localization tool. Versions prior to 5.15 allowed accepting an invitation opened by a different user. Recommendations Update to version 5.15 or later. As a workaround, avoid...

EUVD-2025-11008

Malicious code in bioql PyPI...

EUVD-2025-18400

Malicious code in bioql PyPI...

CVE-2025-49134

Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12...

CVE-2025-47951

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in...

CVE-2025-49134 Weblate exposes personal IP address via e-mail

Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12...

PYSEC-2025-35

Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code...