Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/weblate@5.16.1
purl pkg:pypi/weblate@5.16.1
Next non-vulnerable version 5.17
Latest non-vulnerable version 5.17
Risk
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-557t-6mjj-7kcr
Aliases:
CVE-2026-33435
GHSA-558g-h753-6m33
PYSEC-2026-154
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.
5.17
Affected by 0 other vulnerabilities.
VCID-fesz-pv5h-c3e2
Aliases:
CVE-2026-39845
GHSA-f8hv-g549-hwg2
PYSEC-2026-156
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.
5.17
Affected by 0 other vulnerabilities.
VCID-hdsr-3vyy-5bgh
Aliases:
CVE-2026-34393
GHSA-3382-gw9x-477v
PYSEC-2026-155
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
5.17
Affected by 0 other vulnerabilities.
VCID-hvg1-yhgu-m7ca
Aliases:
CVE-2026-33214
GHSA-mpf5-3vph-q75r
PYSEC-2026-152
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
5.17
Affected by 0 other vulnerabilities.
VCID-p2hq-a8xy-p3b9
Aliases:
CVE-2026-33220
GHSA-mqph-7h49-hqfm
PYSEC-2026-153
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
5.17
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-w9nv-k2jg-yuce Weblate: Missing access control for the AddonViewSet API exposes all addon configurations Users were able to obtain add-on configuration via API. CVE-2026-27457
GHSA-wppc-7cq7-cgfv

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:50:56.756555+00:00 GitLab Importer Fixing VCID-w9nv-k2jg-yuce https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Weblate/CVE-2026-27457.yml 38.6.0
2026-06-02T04:24:50.111267+00:00 Pypa Importer Affected by VCID-fesz-pv5h-c3e2 https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-156.yaml 38.6.0
2026-06-02T04:24:49.430549+00:00 Pypa Importer Affected by VCID-hdsr-3vyy-5bgh https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-155.yaml 38.6.0
2026-06-02T04:24:48.771685+00:00 Pypa Importer Affected by VCID-557t-6mjj-7kcr https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-154.yaml 38.6.0
2026-06-02T04:24:48.109582+00:00 Pypa Importer Affected by VCID-p2hq-a8xy-p3b9 https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-153.yaml 38.6.0
2026-06-02T04:24:47.443241+00:00 Pypa Importer Affected by VCID-hvg1-yhgu-m7ca https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-152.yaml 38.6.0