{"url":"http://public2.vulnerablecode.io/api/packages/87421?format=json","purl":"pkg:pypi/weblate@4.18","type":"pypi","namespace":"","name":"weblate","version":"4.18","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.16.0","latest_non_vulnerable_version":"5.17","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90812?format=json","vulnerability_id":"VCID-27fd-5u31-q7ft","summary":"Weblate is a web based localization tool. In versions 5.14 and below,  Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64326","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10443","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64326"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/16781","reference_id":"16781","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:17:50Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/16781"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64326","reference_id":"CVE-2025-64326","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64326"},{"reference_url":"https://github.com/advisories/GHSA-gr35-vpx2-qxhc","reference_id":"GHSA-gr35-vpx2-qxhc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gr35-vpx2-qxhc"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc","reference_id":"GHSA-gr35-vpx2-qxhc","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-06T21:17:50Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35024?format=json","purl":"pkg:pypi/weblate@5.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uky-8ks8-8kg1"},{"vulnerability":"VCID-7xdv-rje4-bfh5"},{"vulnerability":"VCID-dfsk-f6ch-hqcn"},{"vulnerability":"VCID-dsmf-fhrh-ukh3"},{"vulnerability":"VCID-nvm6-6nvn-vqff"},{"vulnerability":"VCID-r36u-2h85-23b2"},{"vulnerability":"VCID-rzfg-uyxe-xyhd"},{"vulnerability":"VCID-zzf6-uufj-3kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.14.1"}],"aliases":["CVE-2025-64326","GHSA-gr35-vpx2-qxhc","PYSEC-2025-126","PYSEC-2025-230"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-27fd-5u31-q7ft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28505?format=json","vulnerability_id":"VCID-7uky-8ks8-8kg1","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39845","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01239","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39845"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18815","reference_id":"18815","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:00Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18815"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2","reference_id":"GHSA-f8hv-g549-hwg2","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T19:37:00Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92245?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-39845","GHSA-f8hv-g549-hwg2","PYSEC-2026-156"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7uky-8ks8-8kg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28337?format=json","vulnerability_id":"VCID-7xdv-rje4-bfh5","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34393","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03643","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34393"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18687","reference_id":"18687","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:38:44Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18687"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v","reference_id":"GHSA-3382-gw9x-477v","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:38:44Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92245?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-34393","GHSA-3382-gw9x-477v","PYSEC-2026-155"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7xdv-rje4-bfh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28223?format=json","vulnerability_id":"VCID-dfsk-f6ch-hqcn","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33220","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.0452","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33220"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18516","reference_id":"18516","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:09:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18516"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm","reference_id":"GHSA-mqph-7h49-hqfm","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T14:09:48Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92245?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33220","GHSA-mqph-7h49-hqfm","PYSEC-2026-153"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dfsk-f6ch-hqcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28218?format=json","vulnerability_id":"VCID-dsmf-fhrh-ukh3","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33214","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01482","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33214"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18513","reference_id":"18513","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:31:35Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18513"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r","reference_id":"GHSA-mpf5-3vph-q75r","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T18:31:35Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92245?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33214","GHSA-mpf5-3vph-q75r","PYSEC-2026-152"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dsmf-fhrh-ukh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114417?format=json","vulnerability_id":"VCID-dyct-cymv-e3fe","summary":"Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32021","reference_id":"","reference_type":"","scores":[{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49649","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32021"},{"reference_url":"https://github.com/advisories/GHSA-m67m-3p5g-cw9j","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://github.com/advisories/GHSA-m67m-3p5g-cw9j"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j","reference_id":"GHSA-m67m-3p5g-cw9j","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T14:40:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j"},{"reference_url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11","reference_id":"weblate-5.11","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-16T14:40:58Z/"}],"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87459?format=json","purl":"pkg:pypi/weblate@5.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27fd-5u31-q7ft"},{"vulnerability":"VCID-7uky-8ks8-8kg1"},{"vulnerability":"VCID-7xdv-rje4-bfh5"},{"vulnerability":"VCID-dfsk-f6ch-hqcn"},{"vulnerability":"VCID-dsmf-fhrh-ukh3"},{"vulnerability":"VCID-nvm6-6nvn-vqff"},{"vulnerability":"VCID-r36u-2h85-23b2"},{"vulnerability":"VCID-rzfg-uyxe-xyhd"},{"vulnerability":"VCID-zzf6-uufj-3kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.11"}],"aliases":["CVE-2025-32021","GHSA-m67m-3p5g-cw9j","PYSEC-2025-35"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dyct-cymv-e3fe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95116?format=json","vulnerability_id":"VCID-nvm6-6nvn-vqff","summary":"Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66407","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06046","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66407"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17102","reference_id":"17102","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17102"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17103","reference_id":"17103","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17103"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66407","reference_id":"CVE-2025-66407","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66407"},{"reference_url":"https://github.com/advisories/GHSA-hfpv-mc5v-p9mm","reference_id":"GHSA-hfpv-mc5v-p9mm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hfpv-mc5v-p9mm"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm","reference_id":"GHSA-hfpv-mc5v-p9mm","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36215?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uky-8ks8-8kg1"},{"vulnerability":"VCID-7xdv-rje4-bfh5"},{"vulnerability":"VCID-dfsk-f6ch-hqcn"},{"vulnerability":"VCID-dsmf-fhrh-ukh3"},{"vulnerability":"VCID-rzfg-uyxe-xyhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-66407","GHSA-hfpv-mc5v-p9mm","PYSEC-2025-231"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nvm6-6nvn-vqff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109177?format=json","vulnerability_id":"VCID-r36u-2h85-23b2","summary":"Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67492","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05349","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67492"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-232.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-232.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17221","reference_id":"17221","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:13:36Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17221"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67492","reference_id":"CVE-2025-67492","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67492"},{"reference_url":"https://github.com/advisories/GHSA-pj86-258h-qrvf","reference_id":"GHSA-pj86-258h-qrvf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pj86-258h-qrvf"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf","reference_id":"GHSA-pj86-258h-qrvf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:13:36Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36215?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uky-8ks8-8kg1"},{"vulnerability":"VCID-7xdv-rje4-bfh5"},{"vulnerability":"VCID-dfsk-f6ch-hqcn"},{"vulnerability":"VCID-dsmf-fhrh-ukh3"},{"vulnerability":"VCID-rzfg-uyxe-xyhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-67492","GHSA-pj86-258h-qrvf","PYSEC-2025-232"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r36u-2h85-23b2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28249?format=json","vulnerability_id":"VCID-rzfg-uyxe-xyhd","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33435","reference_id":"","reference_type":"","scores":[{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29593","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33435"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/18549","reference_id":"18549","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:40:18Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/18549"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33","reference_id":"GHSA-558g-h753-6m33","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-15T18:40:18Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92245?format=json","purl":"pkg:pypi/weblate@5.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.17"}],"aliases":["CVE-2026-33435","GHSA-558g-h753-6m33","PYSEC-2026-154"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rzfg-uyxe-xyhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109005?format=json","vulnerability_id":"VCID-zzf6-uufj-3kap","summary":"Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67715","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01722","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-67715"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-233.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-233.yaml"},{"reference_url":"https://github.com/WeblateOrg/weblate/pull/17256","reference_id":"17256","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T14:36:56Z/"}],"url":"https://github.com/WeblateOrg/weblate/pull/17256"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67715","reference_id":"CVE-2025-67715","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67715"},{"reference_url":"https://github.com/advisories/GHSA-3pmh-24wp-xpf4","reference_id":"GHSA-3pmh-24wp-xpf4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pmh-24wp-xpf4"},{"reference_url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4","reference_id":"GHSA-3pmh-24wp-xpf4","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T14:36:56Z/"}],"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36215?format=json","purl":"pkg:pypi/weblate@5.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uky-8ks8-8kg1"},{"vulnerability":"VCID-7xdv-rje4-bfh5"},{"vulnerability":"VCID-dfsk-f6ch-hqcn"},{"vulnerability":"VCID-dsmf-fhrh-ukh3"},{"vulnerability":"VCID-rzfg-uyxe-xyhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@5.15"}],"aliases":["CVE-2025-67715","GHSA-3pmh-24wp-xpf4","PYSEC-2025-233"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zzf6-uufj-3kap"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/weblate@4.18"}