Weblateorg Weblate
31 CVEs affecting Weblateorg Weblate. Latest disclosed: 2026-05-07. Critical: 1, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-68398 | Critical | 9.1 | 2025-12-18 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavio… |
CVE-2026-34393 | High | 8.8 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has be… |
CVE-2026-41654 | High | 8.1 | 2026-05-07 | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for an… |
CVE-2026-33435 | High | 8.1 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to… |
CVE-2026-34242 | High | 7.7 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks o… |
CVE-2025-68279 | High | 7.7 | 2025-12-18 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbol… |
CVE-2026-33220 | Medium | 6.8 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform prop… |
CVE-2026-24126 | Medium | 6.6 | 2026-02-18 | Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which co… |
CVE-2022-24710 | Medium | 5.4 | 2022-02-25 | Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and lan… |
CVE-2025-67492 | Medium | 5.3 | 2025-12-16 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook… |
CVE-2026-40256 | Medium | 5.0 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths… |
CVE-2026-34244 | Medium | 5.0 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role)… |
CVE-2026-33440 | Medium | 5.0 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't res… |
CVE-2025-66407 | Medium | 5.0 | 2025-12-15 | Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying… |
CVE-2025-47951 | Medium | 4.9 | 2025-06-16 | Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate li… |
CVE-2024-39303 | Medium | 4.4 | 2024-07-01 | Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible… |
CVE-2026-44264 | Medium | 4.3 | 2026-05-07 | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly… |
CVE-2026-44263 | Medium | 4.3 | 2026-05-07 | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations i… |
CVE-2026-33214 | Medium | 4.3 | 2026-04-15 | Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce prop… |
CVE-2026-27457 | Medium | 4.3 | 2026-02-26 | Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.obj… |