Search for packages
| purl | pkg:pypi/weblate@3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13gh-1j1y-pud2
Aliases: CVE-2026-24126 GHSA-33fm-6gp7-4p47 |
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console. |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-27fd-5u31-q7ft
Aliases: CVE-2025-64326 GHSA-gr35-vpx2-qxhc PYSEC-2025-126 PYSEC-2025-230 |
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1. |
Affected by 23 other vulnerabilities. |
|
VCID-3nnm-5hms-ufb2
Aliases: CVE-2026-33212 GHSA-vj45-x3pj-f4w4 |
Affected by 4 other vulnerabilities. |
|
|
VCID-4u76-xepf-xkdg
Aliases: BIT-weblate-2022-24710 CVE-2022-24710 GHSA-6jp6-9rf9-gc66 PYSEC-2022-35 |
Cross-site Scripting in Weblate |
Affected by 29 other vulnerabilities. |
|
VCID-7uky-8ks8-8kg1
Aliases: CVE-2026-39845 GHSA-f8hv-g549-hwg2 PYSEC-2026-156 |
Affected by 4 other vulnerabilities. |
|
|
VCID-7xdv-rje4-bfh5
Aliases: CVE-2026-34393 GHSA-3382-gw9x-477v PYSEC-2026-155 |
Affected by 4 other vulnerabilities. |
|
|
VCID-849m-3c8x-z3dv
Aliases: CVE-2025-64725 GHSA-m6hq-f4w9-qrjj |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. |
Affected by 19 other vulnerabilities. |
|
VCID-8znh-acd2-53bm
Aliases: CVE-2026-27457 GHSA-wppc-7cq7-cgfv |
Affected by 14 other vulnerabilities. |
|
|
VCID-am2b-ejeh-n3gt
Aliases: CVE-2026-44263 GHSA-gcg5-86jr-f7jg |
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. |
Affected by 0 other vulnerabilities. |
|
VCID-bxuh-n3fj-ffga
Aliases: CVE-2026-34242 GHSA-hv99-mxm5-q397 |
Affected by 4 other vulnerabilities. |
|
|
VCID-dfsk-f6ch-hqcn
Aliases: CVE-2026-33220 GHSA-mqph-7h49-hqfm PYSEC-2026-153 |
Affected by 4 other vulnerabilities. |
|
|
VCID-dsmf-fhrh-ukh3
Aliases: CVE-2026-33214 GHSA-mpf5-3vph-q75r PYSEC-2026-152 |
Affected by 4 other vulnerabilities. |
|
|
VCID-dyct-cymv-e3fe
Aliases: CVE-2025-32021 GHSA-m67m-3p5g-cw9j PYSEC-2025-35 |
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11. |
Affected by 27 other vulnerabilities. |
|
VCID-fp81-5b87-j7ax
Aliases: CVE-2026-33440 GHSA-5fhx-9jwj-867m |
Affected by 4 other vulnerabilities. |
|
|
VCID-nvm6-6nvn-vqff
Aliases: CVE-2025-66407 GHSA-hfpv-mc5v-p9mm PYSEC-2025-231 |
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message. |
Affected by 19 other vulnerabilities. |
|
VCID-r36u-2h85-23b2
Aliases: CVE-2025-67492 GHSA-pj86-258h-qrvf PYSEC-2025-232 |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rauj-hjbg-j7b4
Aliases: CVE-2026-21889 GHSA-3g2f-4rjg-9385 |
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. |
Affected by 16 other vulnerabilities. |
|
VCID-rfk6-ty49-f3ft
Aliases: CVE-2025-68398 GHSA-8vcg-cfxj-p5m3 |
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. |
Affected by 17 other vulnerabilities. |
|
VCID-rywq-qyvb-8fcg
Aliases: CVE-2026-40256 GHSA-ffgh-3jrf-8wvh |
Affected by 4 other vulnerabilities. |
|
|
VCID-rzfg-uyxe-xyhd
Aliases: CVE-2026-33435 GHSA-558g-h753-6m33 PYSEC-2026-154 |
Affected by 4 other vulnerabilities. |
|
|
VCID-se5h-tu1z-1ybv
Aliases: CVE-2026-41519 GHSA-6j8j-4qp3-36p2 |
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1. |
Affected by 0 other vulnerabilities. |
|
VCID-ttsu-s5sc-47f1
Aliases: CVE-2026-44264 GHSA-5cmv-3rc4-7279 |
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. |
Affected by 0 other vulnerabilities. |
|
VCID-uams-vzmg-aubk
Aliases: CVE-2025-47951 GHSA-57jg-m997-cx3q |
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12. |
Affected by 0 other vulnerabilities. |
|
VCID-uctk-5p7z-cug3
Aliases: CVE-2025-68279 GHSA-g925-f788-4jh7 |
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. |
Affected by 17 other vulnerabilities. |
|
VCID-uw48-rjjk-tbc1
Aliases: CVE-2025-49134 GHSA-4qqf-9m5c-w2c5 |
Affected by 0 other vulnerabilities. |
|
|
VCID-veas-z52g-z7ap
Aliases: CVE-2025-58352 GHSA-377j-wj38-4728 |
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1. |
Affected by 24 other vulnerabilities. |
|
VCID-vk1r-2pj8-sbgt
Aliases: CVE-2022-23915 GHSA-3872-f48p-pxqj PYSEC-2022-31 SNYK-PYTHON-WEBLATE-2414088 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate |
Affected by 28 other vulnerabilities. |
|
VCID-wkpe-cvt3-w3d4
Aliases: CVE-2026-41654 GHSA-cwcx-382v-8m9g |
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. |
Affected by 0 other vulnerabilities. |
|
VCID-ynw1-ttb5-4ydn
Aliases: CVE-2026-34244 GHSA-xrwr-fcw6-fmq8 |
Affected by 4 other vulnerabilities. |
|
|
VCID-zzf6-uufj-3kap
Aliases: CVE-2025-67715 GHSA-3pmh-24wp-xpf4 PYSEC-2025-233 |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||