Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/49547?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/49547?format=api", "purl": "pkg:pypi/weblate@5.16.1", "type": "pypi", "namespace": "", "name": "weblate", "version": "5.16.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.17", "latest_non_vulnerable_version": "2026.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37291?format=api", "vulnerability_id": "VCID-557t-6mjj-7kcr", "summary": "Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18549", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18549" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33435", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33435" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49549?format=api", "purl": "pkg:pypi/weblate@5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17" } ], "aliases": [ "CVE-2026-33435", "GHSA-558g-h753-6m33", "PYSEC-2026-154" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-557t-6mjj-7kcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37293?format=api", "vulnerability_id": "VCID-fesz-pv5h-c3e2", "summary": "Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18815", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18815" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39845", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39845" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49549?format=api", "purl": "pkg:pypi/weblate@5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17" } ], "aliases": [ "CVE-2026-39845", "GHSA-f8hv-g549-hwg2", "PYSEC-2026-156" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fesz-pv5h-c3e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37292?format=api", "vulnerability_id": "VCID-hdsr-3vyy-5bgh", "summary": "Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18687", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18687" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34393", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34393" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49549?format=api", "purl": "pkg:pypi/weblate@5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17" } ], "aliases": [ "CVE-2026-34393", "GHSA-3382-gw9x-477v", "PYSEC-2026-155" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsr-3vyy-5bgh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37289?format=api", "vulnerability_id": "VCID-hvg1-yhgu-m7ca", "summary": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18513", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18513" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33214", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33214" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49549?format=api", "purl": "pkg:pypi/weblate@5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17" } ], "aliases": [ "CVE-2026-33214", "GHSA-mpf5-3vph-q75r", "PYSEC-2026-152" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hvg1-yhgu-m7ca" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37290?format=api", "vulnerability_id": "VCID-p2hq-a8xy-p3b9", "summary": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18516", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18516" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33220", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33220" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49549?format=api", "purl": "pkg:pypi/weblate@5.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17" } ], "aliases": [ "CVE-2026-33220", "GHSA-mqph-7h49-hqfm", "PYSEC-2026-153" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p2hq-a8xy-p3b9" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50413?format=api", "vulnerability_id": "VCID-w9nv-k2jg-yuce", "summary": "Weblate: Missing access control for the AddonViewSet API exposes all addon configurations\nUsers were able to obtain add-on configuration via API.", "references": [ { "reference_url": "https://github.com/WeblateOrg/weblate", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate" }, { "reference_url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9" }, { "reference_url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18107", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18107" }, { "reference_url": "https://github.com/WeblateOrg/weblate/pull/18164", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/pull/18164" }, { "reference_url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27457", "reference_id": "CVE-2026-27457", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27457" }, { "reference_url": "https://github.com/advisories/GHSA-wppc-7cq7-cgfv", "reference_id": "GHSA-wppc-7cq7-cgfv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wppc-7cq7-cgfv" }, { "reference_url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv", "reference_id": "GHSA-wppc-7cq7-cgfv", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49547?format=api", "purl": "pkg:pypi/weblate@5.16.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-557t-6mjj-7kcr" }, { "vulnerability": "VCID-fesz-pv5h-c3e2" }, { "vulnerability": "VCID-hdsr-3vyy-5bgh" }, { "vulnerability": "VCID-hvg1-yhgu-m7ca" }, { "vulnerability": "VCID-p2hq-a8xy-p3b9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16.1" } ], "aliases": [ "CVE-2026-27457", "GHSA-wppc-7cq7-cgfv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w9nv-k2jg-yuce" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16.1" }