Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/weblate@5.16.2 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | weblate |
|---|
| Version | 5.16.2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 5.17 |
|---|
| Latest_non_vulnerable_version | 5.17 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-557t-6mjj-7kcr |
| vulnerability_id |
VCID-557t-6mjj-7kcr |
| summary |
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33435, GHSA-558g-h753-6m33, PYSEC-2026-154
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-557t-6mjj-7kcr |
|
| 1 |
| url |
VCID-fesz-pv5h-c3e2 |
| vulnerability_id |
VCID-fesz-pv5h-c3e2 |
| summary |
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-39845, GHSA-f8hv-g549-hwg2, PYSEC-2026-156
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fesz-pv5h-c3e2 |
|
| 2 |
| url |
VCID-hdsr-3vyy-5bgh |
| vulnerability_id |
VCID-hdsr-3vyy-5bgh |
| summary |
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34393, GHSA-3382-gw9x-477v, PYSEC-2026-155
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsr-3vyy-5bgh |
|
| 3 |
| url |
VCID-hvg1-yhgu-m7ca |
| vulnerability_id |
VCID-hvg1-yhgu-m7ca |
| summary |
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33214, GHSA-mpf5-3vph-q75r, PYSEC-2026-152
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hvg1-yhgu-m7ca |
|
| 4 |
| url |
VCID-p2hq-a8xy-p3b9 |
| vulnerability_id |
VCID-p2hq-a8xy-p3b9 |
| summary |
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33220, GHSA-mqph-7h49-hqfm, PYSEC-2026-153
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p2hq-a8xy-p3b9 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16.2 |
|---|