| 0 |
| url |
VCID-13gh-1j1y-pud2 |
| vulnerability_id |
VCID-13gh-1j1y-pud2 |
| summary |
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/weblate@5.16 |
| purl |
pkg:pypi/weblate@5.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 1 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 2 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 3 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 4 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 5 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 6 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 7 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 8 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 9 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 10 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 11 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 12 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 13 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 14 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16 |
|
|
| aliases |
CVE-2026-24126, GHSA-33fm-6gp7-4p47
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-13gh-1j1y-pud2 |
|
| 1 |
| url |
VCID-27fd-5u31-q7ft |
| vulnerability_id |
VCID-27fd-5u31-q7ft |
| summary |
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/WeblateOrg/weblate/pull/16781 |
| reference_id |
16781 |
| reference_type |
|
| scores |
| 0 |
| value |
2.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:17:50Z/ |
|
|
| url |
https://github.com/WeblateOrg/weblate/pull/16781 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.14.1 |
| purl |
pkg:pypi/weblate@5.14.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-849m-3c8x-z3dv |
|
| 5 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 6 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 7 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 8 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 9 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 10 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 11 |
| vulnerability |
VCID-nvm6-6nvn-vqff |
|
| 12 |
| vulnerability |
VCID-r36u-2h85-23b2 |
|
| 13 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 14 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 15 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 16 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 17 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 18 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 19 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 20 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 21 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
| 22 |
| vulnerability |
VCID-zzf6-uufj-3kap |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.14.1 |
|
|
| aliases |
CVE-2025-64326, GHSA-gr35-vpx2-qxhc, PYSEC-2025-126, PYSEC-2025-230
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-27fd-5u31-q7ft |
|
| 2 |
|
| 3 |
| url |
VCID-4u76-xepf-xkdg |
| vulnerability_id |
VCID-4u76-xepf-xkdg |
| summary |
Cross-site Scripting in Weblate |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/WeblateOrg/weblate |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/WeblateOrg/weblate |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@4.11 |
| purl |
pkg:pypi/weblate@4.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-27fd-5u31-q7ft |
|
| 2 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 3 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 4 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 5 |
| vulnerability |
VCID-849m-3c8x-z3dv |
|
| 6 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 7 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 8 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 9 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 10 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 11 |
| vulnerability |
VCID-dyct-cymv-e3fe |
|
| 12 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 13 |
| vulnerability |
VCID-nvm6-6nvn-vqff |
|
| 14 |
| vulnerability |
VCID-r36u-2h85-23b2 |
|
| 15 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 16 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 17 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 18 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 19 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 20 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 21 |
| vulnerability |
VCID-uams-vzmg-aubk |
|
| 22 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 23 |
| vulnerability |
VCID-uw48-rjjk-tbc1 |
|
| 24 |
| vulnerability |
VCID-veas-z52g-z7ap |
|
| 25 |
| vulnerability |
VCID-vk1r-2pj8-sbgt |
|
| 26 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 27 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
| 28 |
| vulnerability |
VCID-zzf6-uufj-3kap |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@4.11 |
|
|
| aliases |
BIT-weblate-2022-24710, CVE-2022-24710, GHSA-6jp6-9rf9-gc66, PYSEC-2022-35
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4u76-xepf-xkdg |
|
| 4 |
|
| 5 |
|
| 6 |
| url |
VCID-849m-3c8x-z3dv |
| vulnerability_id |
VCID-849m-3c8x-z3dv |
| summary |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/WeblateOrg/weblate/pull/16913 |
| reference_id |
16913 |
| reference_type |
|
| scores |
| 0 |
| value |
1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 1 |
| value |
1.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-15T20:55:31Z/ |
|
|
| url |
https://github.com/WeblateOrg/weblate/pull/16913 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15 |
| purl |
pkg:pypi/weblate@5.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 12 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 13 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 14 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 15 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 16 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 17 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 18 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15 |
|
|
| aliases |
CVE-2025-64725, GHSA-m6hq-f4w9-qrjj
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-849m-3c8x-z3dv |
|
| 7 |
|
| 8 |
| url |
VCID-am2b-ejeh-n3gt |
| vulnerability_id |
VCID-am2b-ejeh-n3gt |
| summary |
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-44263, GHSA-gcg5-86jr-f7jg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-am2b-ejeh-n3gt |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
| url |
VCID-dyct-cymv-e3fe |
| vulnerability_id |
VCID-dyct-cymv-e3fe |
| summary |
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.11 |
| purl |
pkg:pypi/weblate@5.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-27fd-5u31-q7ft |
|
| 2 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 3 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 4 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 5 |
| vulnerability |
VCID-849m-3c8x-z3dv |
|
| 6 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 7 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 8 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 9 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 10 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 11 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 12 |
| vulnerability |
VCID-nvm6-6nvn-vqff |
|
| 13 |
| vulnerability |
VCID-r36u-2h85-23b2 |
|
| 14 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 15 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 16 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 17 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 18 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 19 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 20 |
| vulnerability |
VCID-uams-vzmg-aubk |
|
| 21 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 22 |
| vulnerability |
VCID-uw48-rjjk-tbc1 |
|
| 23 |
| vulnerability |
VCID-veas-z52g-z7ap |
|
| 24 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 25 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
| 26 |
| vulnerability |
VCID-zzf6-uufj-3kap |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.11 |
|
|
| aliases |
CVE-2025-32021, GHSA-m67m-3p5g-cw9j, PYSEC-2025-35
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dyct-cymv-e3fe |
|
| 13 |
|
| 14 |
| url |
VCID-nvm6-6nvn-vqff |
| vulnerability_id |
VCID-nvm6-6nvn-vqff |
| summary |
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/WeblateOrg/weblate/pull/17102 |
| reference_id |
17102 |
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/ |
|
|
| url |
https://github.com/WeblateOrg/weblate/pull/17102 |
|
| 4 |
| reference_url |
https://github.com/WeblateOrg/weblate/pull/17103 |
| reference_id |
17103 |
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/ |
|
|
| url |
https://github.com/WeblateOrg/weblate/pull/17103 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15 |
| purl |
pkg:pypi/weblate@5.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 12 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 13 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 14 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 15 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 16 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 17 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 18 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15 |
|
|
| aliases |
CVE-2025-66407, GHSA-hfpv-mc5v-p9mm, PYSEC-2025-231
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nvm6-6nvn-vqff |
|
| 15 |
| url |
VCID-r36u-2h85-23b2 |
| vulnerability_id |
VCID-r36u-2h85-23b2 |
| summary |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15 |
| purl |
pkg:pypi/weblate@5.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 12 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 13 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 14 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 15 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 16 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 17 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 18 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15 |
|
| 1 |
|
|
| aliases |
CVE-2025-67492, GHSA-pj86-258h-qrvf, PYSEC-2025-232
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r36u-2h85-23b2 |
|
| 16 |
| url |
VCID-rauj-hjbg-j7b4 |
| vulnerability_id |
VCID-rauj-hjbg-j7b4 |
| summary |
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15.2 |
| purl |
pkg:pypi/weblate@5.15.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 11 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 12 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 13 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 14 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 15 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.2 |
|
|
| aliases |
CVE-2026-21889, GHSA-3g2f-4rjg-9385
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rauj-hjbg-j7b4 |
|
| 17 |
| url |
VCID-rfk6-ty49-f3ft |
| vulnerability_id |
VCID-rfk6-ty49-f3ft |
| summary |
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15.1 |
| purl |
pkg:pypi/weblate@5.15.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 12 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 13 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 14 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 15 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 16 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.1 |
|
|
| aliases |
CVE-2025-68398, GHSA-8vcg-cfxj-p5m3
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rfk6-ty49-f3ft |
|
| 18 |
|
| 19 |
|
| 20 |
| url |
VCID-se5h-tu1z-1ybv |
| vulnerability_id |
VCID-se5h-tu1z-1ybv |
| summary |
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-41519, GHSA-6j8j-4qp3-36p2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-se5h-tu1z-1ybv |
|
| 21 |
| url |
VCID-ttsu-s5sc-47f1 |
| vulnerability_id |
VCID-ttsu-s5sc-47f1 |
| summary |
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-44264, GHSA-5cmv-3rc4-7279
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ttsu-s5sc-47f1 |
|
| 22 |
| url |
VCID-uams-vzmg-aubk |
| vulnerability_id |
VCID-uams-vzmg-aubk |
| summary |
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://hackerone.com/reports/3150564 |
| reference_id |
3150564 |
| reference_type |
|
| scores |
| 0 |
| value |
4.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/ |
|
|
| url |
https://hackerone.com/reports/3150564 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-47951, GHSA-57jg-m997-cx3q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uams-vzmg-aubk |
|
| 23 |
| url |
VCID-uctk-5p7z-cug3 |
| vulnerability_id |
VCID-uctk-5p7z-cug3 |
| summary |
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15.1 |
| purl |
pkg:pypi/weblate@5.15.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 12 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 13 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 14 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 15 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 16 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.1 |
|
|
| aliases |
CVE-2025-68279, GHSA-g925-f788-4jh7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uctk-5p7z-cug3 |
|
| 24 |
|
| 25 |
| url |
VCID-veas-z52g-z7ap |
| vulnerability_id |
VCID-veas-z52g-z7ap |
| summary |
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.13.1 |
| purl |
pkg:pypi/weblate@5.13.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-27fd-5u31-q7ft |
|
| 2 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 3 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 4 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 5 |
| vulnerability |
VCID-849m-3c8x-z3dv |
|
| 6 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 7 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 8 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 9 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 10 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 11 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 12 |
| vulnerability |
VCID-nvm6-6nvn-vqff |
|
| 13 |
| vulnerability |
VCID-r36u-2h85-23b2 |
|
| 14 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 15 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 16 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 17 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 18 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 19 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 20 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 21 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 22 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
| 23 |
| vulnerability |
VCID-zzf6-uufj-3kap |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.13.1 |
|
|
| aliases |
CVE-2025-58352, GHSA-377j-wj38-4728
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-veas-z52g-z7ap |
|
| 26 |
| url |
VCID-vk1r-2pj8-sbgt |
| vulnerability_id |
VCID-vk1r-2pj8-sbgt |
| summary |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/WeblateOrg/weblate |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/WeblateOrg/weblate |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@4.11.1 |
| purl |
pkg:pypi/weblate@4.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-27fd-5u31-q7ft |
|
| 2 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 3 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 4 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 5 |
| vulnerability |
VCID-849m-3c8x-z3dv |
|
| 6 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 7 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 8 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 9 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 10 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 11 |
| vulnerability |
VCID-dyct-cymv-e3fe |
|
| 12 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 13 |
| vulnerability |
VCID-nvm6-6nvn-vqff |
|
| 14 |
| vulnerability |
VCID-r36u-2h85-23b2 |
|
| 15 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 16 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 17 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 18 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 19 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 20 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 21 |
| vulnerability |
VCID-uams-vzmg-aubk |
|
| 22 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 23 |
| vulnerability |
VCID-uw48-rjjk-tbc1 |
|
| 24 |
| vulnerability |
VCID-veas-z52g-z7ap |
|
| 25 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 26 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
| 27 |
| vulnerability |
VCID-zzf6-uufj-3kap |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@4.11.1 |
|
|
| aliases |
CVE-2022-23915, GHSA-3872-f48p-pxqj, PYSEC-2022-31, SNYK-PYTHON-WEBLATE-2414088
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vk1r-2pj8-sbgt |
|
| 27 |
| url |
VCID-wkpe-cvt3-w3d4 |
| vulnerability_id |
VCID-wkpe-cvt3-w3d4 |
| summary |
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-41654, GHSA-cwcx-382v-8m9g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wkpe-cvt3-w3d4 |
|
| 28 |
|
| 29 |
| url |
VCID-zzf6-uufj-3kap |
| vulnerability_id |
VCID-zzf6-uufj-3kap |
| summary |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/weblate@5.15 |
| purl |
pkg:pypi/weblate@5.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-13gh-1j1y-pud2 |
|
| 1 |
| vulnerability |
VCID-3nnm-5hms-ufb2 |
|
| 2 |
| vulnerability |
VCID-7uky-8ks8-8kg1 |
|
| 3 |
| vulnerability |
VCID-7xdv-rje4-bfh5 |
|
| 4 |
| vulnerability |
VCID-8znh-acd2-53bm |
|
| 5 |
| vulnerability |
VCID-am2b-ejeh-n3gt |
|
| 6 |
| vulnerability |
VCID-bxuh-n3fj-ffga |
|
| 7 |
| vulnerability |
VCID-dfsk-f6ch-hqcn |
|
| 8 |
| vulnerability |
VCID-dsmf-fhrh-ukh3 |
|
| 9 |
| vulnerability |
VCID-fp81-5b87-j7ax |
|
| 10 |
| vulnerability |
VCID-rauj-hjbg-j7b4 |
|
| 11 |
| vulnerability |
VCID-rfk6-ty49-f3ft |
|
| 12 |
| vulnerability |
VCID-rywq-qyvb-8fcg |
|
| 13 |
| vulnerability |
VCID-rzfg-uyxe-xyhd |
|
| 14 |
| vulnerability |
VCID-se5h-tu1z-1ybv |
|
| 15 |
| vulnerability |
VCID-ttsu-s5sc-47f1 |
|
| 16 |
| vulnerability |
VCID-uctk-5p7z-cug3 |
|
| 17 |
| vulnerability |
VCID-wkpe-cvt3-w3d4 |
|
| 18 |
| vulnerability |
VCID-ynw1-ttb5-4ydn |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15 |
|
| 1 |
|
|
| aliases |
CVE-2025-67715, GHSA-3pmh-24wp-xpf4, PYSEC-2025-233
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zzf6-uufj-3kap |
|