Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/weblate@5.15
Typepypi
Namespace
Nameweblate
Version5.15
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.16.0
Latest_non_vulnerable_version5.17
Affected_by_vulnerabilities
0
url VCID-557t-6mjj-7kcr
vulnerability_id VCID-557t-6mjj-7kcr
summary Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/18549
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://github.com/WeblateOrg/weblate/pull/18549
1
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33
fixed_packages
0
url pkg:pypi/weblate@5.17
purl pkg:pypi/weblate@5.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17
aliases CVE-2026-33435, GHSA-558g-h753-6m33, PYSEC-2026-154
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-557t-6mjj-7kcr
1
url VCID-fesz-pv5h-c3e2
vulnerability_id VCID-fesz-pv5h-c3e2
summary Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/18815
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/18815
1
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2
fixed_packages
0
url pkg:pypi/weblate@5.17
purl pkg:pypi/weblate@5.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17
aliases CVE-2026-39845, GHSA-f8hv-g549-hwg2, PYSEC-2026-156
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fesz-pv5h-c3e2
2
url VCID-hdsr-3vyy-5bgh
vulnerability_id VCID-hdsr-3vyy-5bgh
summary Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/18687
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://github.com/WeblateOrg/weblate/pull/18687
1
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v
fixed_packages
0
url pkg:pypi/weblate@5.17
purl pkg:pypi/weblate@5.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17
aliases CVE-2026-34393, GHSA-3382-gw9x-477v, PYSEC-2026-155
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsr-3vyy-5bgh
3
url VCID-hvg1-yhgu-m7ca
vulnerability_id VCID-hvg1-yhgu-m7ca
summary Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/18513
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/WeblateOrg/weblate/pull/18513
1
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
fixed_packages
0
url pkg:pypi/weblate@5.17
purl pkg:pypi/weblate@5.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17
aliases CVE-2026-33214, GHSA-mpf5-3vph-q75r, PYSEC-2026-152
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hvg1-yhgu-m7ca
4
url VCID-p2hq-a8xy-p3b9
vulnerability_id VCID-p2hq-a8xy-p3b9
summary Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/18516
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/18516
1
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm
fixed_packages
0
url pkg:pypi/weblate@5.17
purl pkg:pypi/weblate@5.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17
aliases CVE-2026-33220, GHSA-mqph-7h49-hqfm, PYSEC-2026-153
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p2hq-a8xy-p3b9
Fixing_vulnerabilities
0
url VCID-egrq-f6sp-3ke5
vulnerability_id VCID-egrq-f6sp-3ke5
summary Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
references
0
reference_url https://github.com/WeblateOrg/weblate
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate
1
reference_url https://github.com/WeblateOrg/weblate/pull/17256
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/17256
2
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67715
reference_id CVE-2025-67715
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-67715
4
reference_url https://github.com/advisories/GHSA-3pmh-24wp-xpf4
reference_id GHSA-3pmh-24wp-xpf4
reference_type
scores
url https://github.com/advisories/GHSA-3pmh-24wp-xpf4
fixed_packages
0
url pkg:pypi/weblate@5.15
purl pkg:pypi/weblate@5.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-557t-6mjj-7kcr
1
vulnerability VCID-fesz-pv5h-c3e2
2
vulnerability VCID-hdsr-3vyy-5bgh
3
vulnerability VCID-hvg1-yhgu-m7ca
4
vulnerability VCID-p2hq-a8xy-p3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15
aliases CVE-2025-67715, GHSA-3pmh-24wp-xpf4, PYSEC-2025-233
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-egrq-f6sp-3ke5
1
url VCID-keku-9eyt-gfhq
vulnerability_id VCID-keku-9eyt-gfhq
summary 
Weblate has improper validation upon invitation acceptance
It was possible to accept an invitation opened by a different Weblate user.
references
0
reference_url https://github.com/WeblateOrg/weblate
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate
1
reference_url https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9
2
reference_url https://github.com/WeblateOrg/weblate/pull/16913
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate/pull/16913
3
reference_url https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64725
reference_id CVE-2025-64725
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-64725
5
reference_url https://github.com/advisories/GHSA-m6hq-f4w9-qrjj
reference_id GHSA-m6hq-f4w9-qrjj
reference_type
scores
url https://github.com/advisories/GHSA-m6hq-f4w9-qrjj
6
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj
reference_id GHSA-m6hq-f4w9-qrjj
reference_type
scores
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj
fixed_packages
0
url pkg:pypi/weblate@5.15
purl pkg:pypi/weblate@5.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-557t-6mjj-7kcr
1
vulnerability VCID-fesz-pv5h-c3e2
2
vulnerability VCID-hdsr-3vyy-5bgh
3
vulnerability VCID-hvg1-yhgu-m7ca
4
vulnerability VCID-p2hq-a8xy-p3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15
aliases CVE-2025-64725, GHSA-m6hq-f4w9-qrjj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-keku-9eyt-gfhq
2
url VCID-unw7-2g9j-x7b5
vulnerability_id VCID-unw7-2g9j-x7b5
summary Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.
references
0
reference_url https://github.com/WeblateOrg/weblate/pull/17102
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/17102
1
reference_url https://github.com/WeblateOrg/weblate/pull/17103
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/17103
2
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
fixed_packages
0
url pkg:pypi/weblate@5.15
purl pkg:pypi/weblate@5.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-557t-6mjj-7kcr
1
vulnerability VCID-fesz-pv5h-c3e2
2
vulnerability VCID-hdsr-3vyy-5bgh
3
vulnerability VCID-hvg1-yhgu-m7ca
4
vulnerability VCID-p2hq-a8xy-p3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15
aliases CVE-2025-66407, GHSA-hfpv-mc5v-p9mm, PYSEC-2025-231
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-unw7-2g9j-x7b5
3
url VCID-xsga-gghy-e7f3
vulnerability_id VCID-xsga-gghy-e7f3
summary Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.
references
0
reference_url https://github.com/WeblateOrg/weblate
reference_id
reference_type
scores
url https://github.com/WeblateOrg/weblate
1
reference_url https://github.com/WeblateOrg/weblate/pull/17221
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/pull/17221
2
reference_url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67492
reference_id CVE-2025-67492
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-67492
4
reference_url https://github.com/advisories/GHSA-pj86-258h-qrvf
reference_id GHSA-pj86-258h-qrvf
reference_type
scores
url https://github.com/advisories/GHSA-pj86-258h-qrvf
fixed_packages
0
url pkg:pypi/weblate@5.15
purl pkg:pypi/weblate@5.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-557t-6mjj-7kcr
1
vulnerability VCID-fesz-pv5h-c3e2
2
vulnerability VCID-hdsr-3vyy-5bgh
3
vulnerability VCID-hvg1-yhgu-m7ca
4
vulnerability VCID-p2hq-a8xy-p3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15
aliases CVE-2025-67492, GHSA-pj86-258h-qrvf, PYSEC-2025-232
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xsga-gghy-e7f3
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15