weblate
PyPI27 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting weblatepage 1 of 1
- CVE-2017-5537MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.10.12017-03-15
vulnerable: 1.9 ... 2.9 (12 versions)
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
- CVE-2022-23915HIGHCVSS 7.2EG 7.2✓ Fixed in 4.11.12022-03-04
vulnerable: 1.9 ... 4.9.1 (86 versions)
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended wa…
- CVE-2022-24710MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.112022-02-25
vulnerable: 1.9 ... 4.9.1 (85 versions)
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cros…
- CVE-2024-39303MEDIUMCVSS 4.4EG 4.4✓ Fixed in 5.6.22024-07-01
vulnerable: 4.14 ... 5.6.1 (35 versions)
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. Th…
- CVE-2025-32021LOWCVSS 2.2EG 2.2✓ Fixed in 5.112025-04-15
vulnerable: 1.9 ... 5.9.2 (143 versions)
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters duri…
- CVE-2025-47951MEDIUMCVSS 4.9EG 4.9✓ Fixed in 5.122025-06-16
vulnerable: 1.9 ... 5.9.dev0 (148 versions)
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials t…
- CVE-2025-49134MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.122025-06-16
vulnerable: 1.9 ... 5.9.dev0 (148 versions)
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue ha…
- CVE-2025-58352MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.13.12025-09-05
vulnerable: 1.9 ... 5.9.dev0 (151 versions)
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the s…
- CVE-2025-64326LOWCVSS 2.6EG 2.6✓ Fixed in 5.14.12025-11-06
vulnerable: 1.9 ... 5.9.dev0 (155 versions)
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, …
- CVE-2025-64725CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.152025-12-15
vulnerable: 1.9 ... 5.9.dev0 (158 versions)
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitati…
- CVE-2025-66407MEDIUMCVSS 5.0EG 5.0✓ Fixed in 5.152026-05-26
vulnerable: 1.9 ... 5.9.2 (157 versions)
Weblate has a Server-Side Request Forgery issue ### Impact The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository UR…
- CVE-2025-67715MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.152025-12-16
vulnerable: 1.9 ... 5.9.2 (157 versions)
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
- CVE-2025-68279HIGHCVSS 7.7EG 7.7✓ Fixed in 5.15.12025-12-18
vulnerable: 1.9 ... 5.9.2 (158 versions)
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
- CVE-2026-33212LOWCVSS 3.1EG 3.1✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker ne…
- CVE-2026-33214MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unabl…
- CVE-2026-33220MEDIUMCVSS 6.8EG 6.8✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are …
- CVE-2026-33435HIGHCVSS 8.0EG 8.0✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in…
- CVE-2026-33440MEDIUMCVSS 5.0EG 5.0✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.
- CVE-2026-34242HIGHCVSS 7.7EG 7.7✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.
- CVE-2026-34244MEDIUMCVSS 5.0EG 5.0✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal n…
- CVE-2026-34393HIGHCVSS 8.8EG 8.8✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
- CVE-2026-39845MEDIUMCVSS 4.1EG 4.1✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable …
- CVE-2026-40256MEDIUMCVSS 5.0EG 5.0✓ Fixed in 5.172026-04-15
vulnerable: 1.9 ... 5.9.2 (163 versions)
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root pa…
- CVE-2026-41519MEDIUMCVSS 4.2EG 4.2✓ Fixed in 5.17.12026-05-07
vulnerable: 1.9 ... 5.9.2 (164 versions)
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" a…
- CVE-2026-41654HIGHCVSS 8.1EG 8.1✓ Fixed in 5.17.12026-05-07
vulnerable: 1.9 ... 5.9.2 (164 versions)
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup…
- CVE-2026-44263MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.17.12026-05-07
vulnerable: 1.9 ... 5.9.2 (164 versions)
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.1…
- CVE-2026-44264MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.17.12026-05-07
vulnerable: 1.9 ... 5.9.2 (164 versions)
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1.
Check whether weblate is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for weblate CVEs against the assets you own.
Start Free Scan →