{"url":"http://public2.vulnerablecode.io/api/packages/45015?format=json","purl":"pkg:pypi/weblate@5.10.4","type":"pypi","namespace":"","name":"weblate","version":"5.10.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.12","latest_non_vulnerable_version":"2026.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89783?format=json","vulnerability_id":"VCID-21md-sewk-s3bx","summary":"Weblate: Improper access control for pending tasks in API\n### Impact\nThe API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18515\n\n### Workarounds\nThe attacker needs to guess the random UUID of the task, so exploiting this is unlikely with the default API rate limits.\n\n### References\nThis issue was identified by Michal Čihař.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33212","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01503","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33212"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:08:54Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18515","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate/pull/18515"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:08:54Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33212","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33212"},{"reference_url":"https://github.com/advisories/GHSA-vj45-x3pj-f4w4","reference_id":"GHSA-vj45-x3pj-f4w4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vj45-x3pj-f4w4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33212","GHSA-vj45-x3pj-f4w4"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21md-sewk-s3bx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89936?format=json","vulnerability_id":"VCID-2wey-h1ak-73ct","summary":"Weblate Doesn't Invalidate API Token on Password Change\n### Impact\nWhen a user changes their password, browser sessions are correctly invalidated via `cycle_session_keys()`, but DRF API tokens (`wlu_*` prefix) stored in `authtoken_token` are not revoked.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/19057\n\n### Resources\nWeblate thanks Sang Yu Jeon for reporting this via GitHub.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41519","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.0089","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41519"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T14:45:16Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/19057","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T14:45:16Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/19057"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T14:45:16Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T14:45:16Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41519","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41519"},{"reference_url":"https://github.com/advisories/GHSA-6j8j-4qp3-36p2","reference_id":"GHSA-6j8j-4qp3-36p2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6j8j-4qp3-36p2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110325?format=json","purl":"pkg:pypi/weblate@5.17.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.1"}],"aliases":["CVE-2026-41519","GHSA-6j8j-4qp3-36p2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2wey-h1ak-73ct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37142?format=json","vulnerability_id":"VCID-4qdu-uag1-2yag","summary":"Weblate is a web based localization tool. In versions 5.14 and below,  Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64326","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10445","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64326"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/16781","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:17:50Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/16781"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:17:50Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64326","reference_id":"CVE-2025-64326","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64326"},{"reference_url":"https://github.com/advisories/GHSA-gr35-vpx2-qxhc","reference_id":"GHSA-gr35-vpx2-qxhc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gr35-vpx2-qxhc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46444?format=json","purl":"pkg:pypi/weblate@5.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-egrq-f6sp-3ke5"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-keku-9eyt-gfhq"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-unw7-2g9j-x7b5"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"},{"vulnerability":"VCID-xsga-gghy-e7f3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.14.1"}],"aliases":["CVE-2025-64326","GHSA-gr35-vpx2-qxhc","PYSEC-2025-126","PYSEC-2025-230"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4qdu-uag1-2yag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37291?format=json","vulnerability_id":"VCID-557t-6mjj-7kcr","summary":"Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33435","reference_id":"","reference_type":"","scores":[{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.2965","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33435"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18549","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:40:18Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18549"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:40:18Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33435","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33435"},{"reference_url":"https://github.com/advisories/GHSA-558g-h753-6m33","reference_id":"GHSA-558g-h753-6m33","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-558g-h753-6m33"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33435","GHSA-558g-h753-6m33","PYSEC-2026-154"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-557t-6mjj-7kcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50169?format=json","vulnerability_id":"VCID-5hry-n5eq-z3b3","summary":"Weblate has an argument injection in management console\nThe SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24126","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02124","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24126"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:13:05Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17722","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:13:05Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17722"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24126","reference_id":"CVE-2026-24126","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24126"},{"reference_url":"https://github.com/advisories/GHSA-33fm-6gp7-4p47","reference_id":"GHSA-33fm-6gp7-4p47","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-33fm-6gp7-4p47"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47","reference_id":"GHSA-33fm-6gp7-4p47","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:13:05Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74080?format=json","purl":"pkg:pypi/weblate@5.16.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49546?format=json","purl":"pkg:pypi/weblate@5.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16"}],"aliases":["CVE-2026-24126","GHSA-33fm-6gp7-4p47"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5hry-n5eq-z3b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90097?format=json","vulnerability_id":"VCID-5yrc-97jz-77hk","summary":"Weblate: Arbitrary File Read via Symlink\n### Impact\n\nThe ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.\n\n### Patches\n\n* https://github.com/WeblateOrg/weblate/pull/18683\n\n### References\n\nThanks to @DavidCarliez for reporting this vulnerability via GitHub.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34242","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04439","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34242"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:49Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/5db3a2a2e047ecaab627a8731cd744a30b2f51d3"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:49Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hv99-mxm5-q397"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34242","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34242"},{"reference_url":"https://github.com/advisories/GHSA-hv99-mxm5-q397","reference_id":"GHSA-hv99-mxm5-q397","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hv99-mxm5-q397"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-34242","GHSA-hv99-mxm5-q397"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5yrc-97jz-77hk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49469?format=json","vulnerability_id":"VCID-7hct-7z1p-4uey","summary":"Weblate has an arbitrary file read via symbolic links\nIt was possible to read arbitrary files from the server file system using crafted symbolic links in the repository.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68279","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18495","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68279"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17331","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T15:01:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17331"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17356","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T15:01:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17356"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T15:01:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68279","reference_id":"CVE-2025-68279","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68279"},{"reference_url":"https://github.com/advisories/GHSA-g925-f788-4jh7","reference_id":"GHSA-g925-f788-4jh7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g925-f788-4jh7"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7","reference_id":"GHSA-g925-f788-4jh7","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T15:01:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49544?format=json","purl":"pkg:pypi/weblate@5.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.1"}],"aliases":["CVE-2025-68279","GHSA-g925-f788-4jh7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7hct-7z1p-4uey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89277?format=json","vulnerability_id":"VCID-e9zq-sh19-rkcy","summary":"Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url\n### Impact\nAn authenticated user with `project.add` permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose `components/<name>.json` contains an attacker-chosen `repo` URL pointing at a **private address** (e.g. `http://127.0.0.1:9999/`) or using a **non-allow-listed scheme** (e.g. `file://`, `git://`). Weblate persists the component via `Component.objects.bulk_create([component])[0]`, which bypasses Django's `full_clean()` and therefore never runs the `validate_repo_url` validator. The URL is subsequently written verbatim into `.git/config` by `configure_repo(pull=False)`.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/19061\n* https://github.com/WeblateOrg/weblate/pull/19062 \n\n### Workarounds\nLimiting who can create projects limits the scope.\n\n### Resources\nWeblate thanks @fg0x0 for reporting this vulnerability via GitHub.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41654","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06191","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41654"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/19061","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/19061"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/19062","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/19062"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:23:34Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41654","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41654"},{"reference_url":"https://github.com/advisories/GHSA-cwcx-382v-8m9g","reference_id":"GHSA-cwcx-382v-8m9g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cwcx-382v-8m9g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110325?format=json","purl":"pkg:pypi/weblate@5.17.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.1"}],"aliases":["CVE-2026-41654","GHSA-cwcx-382v-8m9g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e9zq-sh19-rkcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37163?format=json","vulnerability_id":"VCID-egrq-f6sp-3ke5","summary":"Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67715","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01727","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67715"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17256","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T14:36:56Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17256"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T14:36:56Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67715","reference_id":"CVE-2025-67715","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67715"},{"reference_url":"https://github.com/advisories/GHSA-3pmh-24wp-xpf4","reference_id":"GHSA-3pmh-24wp-xpf4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pmh-24wp-xpf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46901?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-67715","GHSA-3pmh-24wp-xpf4","PYSEC-2025-233"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-egrq-f6sp-3ke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89643?format=json","vulnerability_id":"VCID-f33b-1e47-8bhc","summary":"Weblate: SSRF via Project-Level Machinery Configuration\n### Impact\nA user with the `project.edit` permission (granted by the per-project \"Administration\" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read.\n\n### Patches\n\n* https://github.com/WeblateOrg/weblate/pull/18684\n* The solution then has been cleaned up in followup patches\n\n### Workarounds\nLimiting available machinery services via WEBLATE_MACHINERY setting can avoid this.\n\n### References\n\nThanks to @DavidCarliez for disclosing this via GitHub private vulnerability reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34244","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01409","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34244"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/e619e9090202e4886b844c110d39308e7e882c0e","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:49:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/e619e9090202e4886b844c110d39308e7e882c0e"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18684","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate/pull/18684"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-xrwr-fcw6-fmq8","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:49:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-xrwr-fcw6-fmq8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34244","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34244"},{"reference_url":"https://github.com/advisories/GHSA-xrwr-fcw6-fmq8","reference_id":"GHSA-xrwr-fcw6-fmq8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xrwr-fcw6-fmq8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-34244","GHSA-xrwr-fcw6-fmq8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f33b-1e47-8bhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37293?format=json","vulnerability_id":"VCID-fesz-pv5h-c3e2","summary":"Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39845","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01238","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39845"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18815","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:00Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18815"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:00Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39845","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39845"},{"reference_url":"https://github.com/advisories/GHSA-f8hv-g549-hwg2","reference_id":"GHSA-f8hv-g549-hwg2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f8hv-g549-hwg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-39845","GHSA-f8hv-g549-hwg2","PYSEC-2026-156"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fesz-pv5h-c3e2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57492?format=json","vulnerability_id":"VCID-fjt4-422q-nfb1","summary":"Weblate lacks rate limiting when verifying second factor\nThe verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47951","reference_id":"","reference_type":"","scores":[{"value":"0.00201","scoring_system":"epss","scoring_elements":"0.42176","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-47951"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/14918","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/14918"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"},{"reference_url":"https://hackerone.com/reports/3150564","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/"}],"url":"https://hackerone.com/reports/3150564"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47951","reference_id":"CVE-2025-47951","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47951"},{"reference_url":"https://github.com/advisories/GHSA-57jg-m997-cx3q","reference_id":"GHSA-57jg-m997-cx3q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-57jg-m997-cx3q"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q","reference_id":"GHSA-57jg-m997-cx3q","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:49:15Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85517?format=json","purl":"pkg:pypi/weblate@5.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.12"}],"aliases":["CVE-2025-47951","GHSA-57jg-m997-cx3q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjt4-422q-nfb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37292?format=json","vulnerability_id":"VCID-hdsr-3vyy-5bgh","summary":"Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34393","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03639","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34393"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18687","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:38:44Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18687"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:38:44Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34393","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34393"},{"reference_url":"https://github.com/advisories/GHSA-3382-gw9x-477v","reference_id":"GHSA-3382-gw9x-477v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3382-gw9x-477v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-34393","GHSA-3382-gw9x-477v","PYSEC-2026-155"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsr-3vyy-5bgh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37289?format=json","vulnerability_id":"VCID-hvg1-yhgu-m7ca","summary":"Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33214","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01477","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33214"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18513","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:31:35Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18513"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:31:35Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33214","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33214"},{"reference_url":"https://github.com/advisories/GHSA-mpf5-3vph-q75r","reference_id":"GHSA-mpf5-3vph-q75r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mpf5-3vph-q75r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33214","GHSA-mpf5-3vph-q75r","PYSEC-2026-152"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hvg1-yhgu-m7ca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49437?format=json","vulnerability_id":"VCID-keku-9eyt-gfhq","summary":"Weblate has improper validation upon invitation acceptance\nIt was possible to accept an invitation opened by a different Weblate user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64725","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02455","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64725"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9","reference_id":"","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-15T20:55:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/16913","reference_id":"","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-15T20:55:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/16913"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15","reference_id":"","reference_type":"","scores":[{"value":"1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-15T20:55:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64725","reference_id":"CVE-2025-64725","reference_type":"","scores":[{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64725"},{"reference_url":"https://github.com/advisories/GHSA-m6hq-f4w9-qrjj","reference_id":"GHSA-m6hq-f4w9-qrjj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6hq-f4w9-qrjj"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj","reference_id":"GHSA-m6hq-f4w9-qrjj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"1.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-15T20:55:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46901?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-64725","GHSA-m6hq-f4w9-qrjj"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-keku-9eyt-gfhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89465?format=json","vulnerability_id":"VCID-krap-qhkh-p7f8","summary":"Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads\n### Impact\nThe ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18550\n\n### References\nThis issue was reported by @spbavarva via GitHub.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33440","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01409","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33440"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:49:07Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18550","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate/pull/18550"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:49:07Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33440","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33440"},{"reference_url":"https://github.com/advisories/GHSA-5fhx-9jwj-867m","reference_id":"GHSA-5fhx-9jwj-867m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5fhx-9jwj-867m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33440","GHSA-5fhx-9jwj-867m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-krap-qhkh-p7f8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37290?format=json","vulnerability_id":"VCID-p2hq-a8xy-p3b9","summary":"Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33220","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04525","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33220"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18516","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:09:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18516"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:09:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33220","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33220"},{"reference_url":"https://github.com/advisories/GHSA-mqph-7h49-hqfm","reference_id":"GHSA-mqph-7h49-hqfm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mqph-7h49-hqfm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33220","GHSA-mqph-7h49-hqfm","PYSEC-2026-153"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p2hq-a8xy-p3b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37046?format=json","vulnerability_id":"VCID-t6ye-yfrj-mkbt","summary":"Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32021","reference_id":"","reference_type":"","scores":[{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49605","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32021"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11","reference_id":"","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T14:40:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j","reference_id":"","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T14:40:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32021","reference_id":"CVE-2025-32021","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32021"},{"reference_url":"https://github.com/advisories/GHSA-m67m-3p5g-cw9j","reference_id":"GHSA-m67m-3p5g-cw9j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m67m-3p5g-cw9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45016?format=json","purl":"pkg:pypi/weblate@5.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-4qdu-uag1-2yag"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-egrq-f6sp-3ke5"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-fjt4-422q-nfb1"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-keku-9eyt-gfhq"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-unw7-2g9j-x7b5"},{"vulnerability":"VCID-uzbt-4vw5-aygg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"},{"vulnerability":"VCID-xsga-gghy-e7f3"},{"vulnerability":"VCID-zfn5-xcs4-kfap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.11"}],"aliases":["CVE-2025-32021","GHSA-m67m-3p5g-cw9j","PYSEC-2025-35"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t6ye-yfrj-mkbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49714?format=json","vulnerability_id":"VCID-ujf7-ybqh-77cg","summary":"Weblate leaks information via screenshots\nThe screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21889","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16348","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21889"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T16:58:27Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17516","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T16:58:27Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17516"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21889","reference_id":"CVE-2026-21889","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21889"},{"reference_url":"https://github.com/advisories/GHSA-3g2f-4rjg-9385","reference_id":"GHSA-3g2f-4rjg-9385","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3g2f-4rjg-9385"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385","reference_id":"GHSA-3g2f-4rjg-9385","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-14T16:58:27Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49545?format=json","purl":"pkg:pypi/weblate@5.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.2"}],"aliases":["CVE-2026-21889","GHSA-3g2f-4rjg-9385"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ujf7-ybqh-77cg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37161?format=json","vulnerability_id":"VCID-unw7-2g9j-x7b5","summary":"Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66407","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06041","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66407"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17102","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17102"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17103","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17103"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66407","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66407"},{"reference_url":"https://github.com/advisories/GHSA-hfpv-mc5v-p9mm","reference_id":"GHSA-hfpv-mc5v-p9mm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hfpv-mc5v-p9mm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46901?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-66407","GHSA-hfpv-mc5v-p9mm","PYSEC-2025-231"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-unw7-2g9j-x7b5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57490?format=json","vulnerability_id":"VCID-uzbt-4vw5-aygg","summary":"Weblate exposes personal IP address via e-mail\nThe audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49134","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55685","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49134"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:04:17Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/15102","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:04:17Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/15102"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:04:17Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49134","reference_id":"CVE-2025-49134","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49134"},{"reference_url":"https://github.com/advisories/GHSA-4qqf-9m5c-w2c5","reference_id":"GHSA-4qqf-9m5c-w2c5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4qqf-9m5c-w2c5"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5","reference_id":"GHSA-4qqf-9m5c-w2c5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:04:17Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85517?format=json","purl":"pkg:pypi/weblate@5.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.12"}],"aliases":["CVE-2025-49134","GHSA-4qqf-9m5c-w2c5"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzbt-4vw5-aygg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89201?format=json","vulnerability_id":"VCID-v5hv-hws5-fugj","summary":"Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision\n### Impact\nWeblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside).\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18847\n\n### References\nThanks to [m9nx4u](https://hackerone.com/m9nx4u) for reporting this issue via HackerOne.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40256","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05685","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40256"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:10:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18847","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate/pull/18847"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:10:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40256","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40256"},{"reference_url":"https://github.com/advisories/GHSA-ffgh-3jrf-8wvh","reference_id":"GHSA-ffgh-3jrf-8wvh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-ffgh-3jrf-8wvh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1126240?format=json","purl":"pkg:pypi/weblate@5.17.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49549?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-e9zq-sh19-rkcy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-40256","GHSA-ffgh-3jrf-8wvh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v5hv-hws5-fugj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50413?format=json","vulnerability_id":"VCID-w9nv-k2jg-yuce","summary":"Weblate: Missing access control for the AddonViewSet API exposes all addon configurations\nUsers were able to obtain add-on configuration via API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27457","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10961","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27457"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18107","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18107"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18164","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18164"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27457","reference_id":"CVE-2026-27457","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27457"},{"reference_url":"https://github.com/advisories/GHSA-wppc-7cq7-cgfv","reference_id":"GHSA-wppc-7cq7-cgfv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wppc-7cq7-cgfv"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv","reference_id":"GHSA-wppc-7cq7-cgfv","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T01:39:25Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49547?format=json","purl":"pkg:pypi/weblate@5.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-v5hv-hws5-fugj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.16.1"}],"aliases":["CVE-2026-27457","GHSA-wppc-7cq7-cgfv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w9nv-k2jg-yuce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49472?format=json","vulnerability_id":"VCID-x6n4-rzpv-83fa","summary":"Weblate is vulnerable to RCE through Git config file overwrite\nIt was possible to overwrite Git configuration remotely and override some of its behavior.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68398","reference_id":"","reference_type":"","scores":[{"value":"0.00249","scoring_system":"epss","scoring_elements":"0.48367","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68398"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/4837a4154390f7c1d03c0e398aa6439dcfa361b4","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/4837a4154390f7c1d03c0e398aa6439dcfa361b4"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/dd8c9d7b00eebe28770fa0e2cd96126791765ea7","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/dd8c9d7b00eebe28770fa0e2cd96126791765ea7"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17330","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17330"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17345","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17345"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68398","reference_id":"CVE-2025-68398","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68398"},{"reference_url":"https://github.com/advisories/GHSA-8vcg-cfxj-p5m3","reference_id":"GHSA-8vcg-cfxj-p5m3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vcg-cfxj-p5m3"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3","reference_id":"GHSA-8vcg-cfxj-p5m3","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-19T14:58:31Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49544?format=json","purl":"pkg:pypi/weblate@5.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15.1"}],"aliases":["CVE-2025-68398","GHSA-8vcg-cfxj-p5m3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x6n4-rzpv-83fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37162?format=json","vulnerability_id":"VCID-xsga-gghy-e7f3","summary":"Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67492","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05316","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67492"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17221","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:13:36Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17221"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:13:36Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67492","reference_id":"CVE-2025-67492","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67492"},{"reference_url":"https://github.com/advisories/GHSA-pj86-258h-qrvf","reference_id":"GHSA-pj86-258h-qrvf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pj86-258h-qrvf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46901?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-67492","GHSA-pj86-258h-qrvf","PYSEC-2025-232"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xsga-gghy-e7f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58070?format=json","vulnerability_id":"VCID-zfn5-xcs4-kfap","summary":"Weblate has a long session expiry when verifying second factor\nThe verification of the second factor had too long a session expiry. The long session expiry could be used to circumvent rate limiting of the second factor.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58352","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20209","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58352"},{"reference_url":"https://github.com/WeblateOrg/weblate","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/WeblateOrg/weblate"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:17:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/16002","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:17:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/16002"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58352","reference_id":"CVE-2025-58352","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58352"},{"reference_url":"https://github.com/advisories/GHSA-377j-wj38-4728","reference_id":"GHSA-377j-wj38-4728","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-377j-wj38-4728"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728","reference_id":"GHSA-377j-wj38-4728","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:17:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/46440?format=json","purl":"pkg:pypi/weblate@5.13.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21md-sewk-s3bx"},{"vulnerability":"VCID-2wey-h1ak-73ct"},{"vulnerability":"VCID-4qdu-uag1-2yag"},{"vulnerability":"VCID-557t-6mjj-7kcr"},{"vulnerability":"VCID-5hry-n5eq-z3b3"},{"vulnerability":"VCID-5yrc-97jz-77hk"},{"vulnerability":"VCID-7hct-7z1p-4uey"},{"vulnerability":"VCID-e9zq-sh19-rkcy"},{"vulnerability":"VCID-egrq-f6sp-3ke5"},{"vulnerability":"VCID-f33b-1e47-8bhc"},{"vulnerability":"VCID-fesz-pv5h-c3e2"},{"vulnerability":"VCID-hdsr-3vyy-5bgh"},{"vulnerability":"VCID-hvg1-yhgu-m7ca"},{"vulnerability":"VCID-keku-9eyt-gfhq"},{"vulnerability":"VCID-krap-qhkh-p7f8"},{"vulnerability":"VCID-p2hq-a8xy-p3b9"},{"vulnerability":"VCID-ujf7-ybqh-77cg"},{"vulnerability":"VCID-unw7-2g9j-x7b5"},{"vulnerability":"VCID-v5hv-hws5-fugj"},{"vulnerability":"VCID-w9nv-k2jg-yuce"},{"vulnerability":"VCID-x6n4-rzpv-83fa"},{"vulnerability":"VCID-xsga-gghy-e7f3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.13.1"}],"aliases":["CVE-2025-58352","GHSA-377j-wj38-4728"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zfn5-xcs4-kfap"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.10.4"}