CVE-2026-33214

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

CVE-2026-39845

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

SUSE CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

Weblate 代码问题漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17.1 had a code-related vulnerability. This vulnerability occurred when users changed their passwords, and the DRF API tokens were not revoked...

Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Impact An authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo URL pointing at a private address e.g. http://127.0.0.1:999...

weblate-fedora-messaging (>=0.1.0 <=0.12.0), wlhosted (>=2024.11.0 <=2025.1.0) potentially affected by CVE-2026-41654 via weblate (>=5.12.2 <=5.16.2)

weblate PYPI version =5.12.2, =0.1.0, =2024.11.0, =2025.1.0 Source cves: CVE-2026-41654 Source advisory: SNYK:PYTHON-WEBLATE-16415532...

PT-2026-37127

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description When a user changes their password, browser sessions are invalidated using the cycle session keys function, but Django REST Framework DRF API tokens with the wlu prefix stored in authtoken token are...

Directory Traversal

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Directory Traversal in the repository boundary validation, due to reliance on string prefix checks for resolved absolute paths. An attacker...

Improper Configuration Control

weblate is vulnerable to improper configuration control. The vulnerability is due to the ability to remotely overwrite Git configuration, which allows an attacker to modify repository behavior and potentially manipulate project operations...

SUSE CVE-2026-21889

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2...

CVE-2026-21889

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2...

GHSA-8VCG-CFXJ-P5M3 Weblate is vulnerable to RCE through Git config file overwrite

Impact It was possible to overwrite Git configuration remotely and override some of its behavior. Resources Thanks to Jason Marcello for responsible disclosure...

CVE-2025-68279 Weblate has an arbitrary file read via symbolic links

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue...

Weblate 代码问题漏洞

Weblate is a Copyleft open source web-based continuous localization system for free software. A code issue vulnerability exists in Weblate versions prior to 5.15.1 that stems from being able to remotely overwrite Git configuration...

weblate-fedora-messaging (>=0.1.0 <=0.12.0), wlhosted (=2024.11.0) potentially affected by CVE-2025-67715 via weblate (>=5.12.2 <=5.14.3)

weblate PYPI version =5.12.2, =0.1.0, =0.12.0 - wlhosted =2024.11.0 Source cves: CVE-2025-67715 Source advisory: SNYK:PYTHON-WEBLATE-14426303...

weblate-fedora-messaging (>=0.1.0 <=0.12.0), wlhosted (=2024.11.0) potentially affected by CVE-2025-64725 via weblate (>=5.12.2 <=5.14.3)

weblate PYPI version =5.12.2, =0.1.0, =0.12.0 - wlhosted =2024.11.0 Source cves: CVE-2025-64725 Source advisory: SNYK:PYTHON-WEBLATE-14426304...

Weblate 安全漏洞

Weblate is a Copyleft open source web-based free software continuous localization system. A security vulnerability exists in Weblate 5.14 and earlier versions, which stems from audit logs leaking project member IP addresses, potentially leading to information disclosure...

EUVD-2017-0140

Malware in sbrugna...

EUVD-2022-0360

Malicious code in bioql PyPI...