Search for packages
| purl | pkg:pypi/weblate@5.17 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-557t-6mjj-7kcr | Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects. |
CVE-2026-33435
GHSA-558g-h753-6m33 PYSEC-2026-154 |
| VCID-fesz-pv5h-c3e2 | Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround. |
CVE-2026-39845
GHSA-f8hv-g549-hwg2 PYSEC-2026-156 |
| VCID-hdsr-3vyy-5bgh | Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17. |
CVE-2026-34393
GHSA-3382-gw9x-477v PYSEC-2026-155 |
| VCID-hvg1-yhgu-m7ca | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature. |
CVE-2026-33214
GHSA-mpf5-3vph-q75r PYSEC-2026-152 |
| VCID-p2hq-a8xy-p3b9 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default. |
CVE-2026-33220
GHSA-mqph-7h49-hqfm PYSEC-2026-153 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:24:50.118627+00:00 | Pypa Importer | Fixing | VCID-fesz-pv5h-c3e2 | https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-156.yaml | 38.6.0 |
| 2026-06-02T04:24:49.437975+00:00 | Pypa Importer | Fixing | VCID-hdsr-3vyy-5bgh | https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-155.yaml | 38.6.0 |
| 2026-06-02T04:24:48.779384+00:00 | Pypa Importer | Fixing | VCID-557t-6mjj-7kcr | https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-154.yaml | 38.6.0 |
| 2026-06-02T04:24:48.116937+00:00 | Pypa Importer | Fixing | VCID-p2hq-a8xy-p3b9 | https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-153.yaml | 38.6.0 |
| 2026-06-02T04:24:47.452365+00:00 | Pypa Importer | Fixing | VCID-hvg1-yhgu-m7ca | https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-152.yaml | 38.6.0 |