CVE-2026-34393

HIGH8.8EPSS 0.02%

Weblate: Privilege escalation in the user API endpoint

Published: 4/16/2026Modified: 5/20/2026

Description

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

Affected packages (2)

PyPI/weblatefrom 0, < 5.17
PyPI/weblatefrom 0, < 5.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34393
PATCHhttps://github.com/WeblateOrg/weblate
WEBhttps://github.com/WeblateOrg/weblate/pull/18687
WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v