pkg:PyPI/weblate

48 total CVEsCRITICAL1HIGH10MEDIUM28LOW5

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2025-68398Weblate is vulnerable to RCE through Git config file overwrite
    from 0, < 5.15.1
  • HIGH8.8CVE-2026-34393Weblate: Privilege escalation in the user API endpoint
    from 0, < 5.17
  • HIGH8.8CVE-2026-34393Weblate: Privilege escalation in the user API endpoint
    from 0, < 5.17
  • HIGH8.8CVE-2022-23915Duplicate Advisory: Command injection in Weblate
    from 0, < 4.11.1
  • HIGH8.8CVE-2022-23915Duplicate Advisory: Command injection in Weblate
    from 0, < 4.11.1
  • HIGH8.8CVE-2022-23915Duplicate Advisory: Command injection in Weblate
    from 0, < 35d59f1f040541c358cece0a8d4a63183ca919b8, < d83672a3e7415da1490334e2c9431e5da1966842 | from 0, < 4.11.1
  • HIGH8.8CVE-2022-23915Duplicate Advisory: Command injection in Weblate
    from 0, < 4.11.1
  • HIGH8.0CVE-2026-33435Weblate: Remote code execution during backup restoration
    from 0, < 5.17
  • HIGH8.0CVE-2026-33435Weblate: Remote code execution during backup restoration
    from 0, < 5.17
  • HIGH7.7CVE-2026-34242Weblate: Arbitrary File Read via Symlink
    from 0, < 5.17
  • HIGH7.7CVE-2025-68279Weblate has an arbitrary file read via symbolic links
    from 0, < 5.15.1
  • MEDIUM6.8CVE-2026-33220Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
    from 0, < 5.17
  • MEDIUM6.8CVE-2026-33220Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
    from 0, < 5.17
  • MEDIUM6.6CVE-2026-24126Weblate has an argument injection in management console
    from 0, < 5.16.0
  • MEDIUM5.4CVE-2022-24710Cross-site Scripting in Weblate
    from 0, < 4.11
  • MEDIUM5.4CVE-2022-24710Cross-site Scripting in Weblate
    from 0, < f6753a1a1c63fade6ad418fbda827c6750ab0bda, < 9e19a8414337692cc90da2a91c9af5420f2952f1, < 22d577b1f1e88665a88b4569380148030e0f8389 | from 0, < 4.11
  • MEDIUM5.3CVE-2025-67492Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
    from 0, < 5.15
  • MEDIUM5.3CVE-2025-67492Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
    from 0, < 5.15
  • MEDIUM5.3CVE-2025-49134Weblate exposes personal IP address via e-mail
    from 0, < 5.12
  • MEDIUM5.3CVE-2017-5537Weblate user account enumeration via reset password form
    from 0, < 2.10.1
  • MEDIUM5.3CVE-2017-5537Weblate user account enumeration via reset password form
    from 0, < abe0d2a29a1d8e896bfe829c8461bf8b391f1079 | from 0, < 2.10.1
  • MEDIUM5.0CVE-2025-66407Weblate has a Server-Side Request Forgery issue
    from 0, < 5.15
  • MEDIUM5.0CVE-2025-66407Weblate has a Server-Side Request Forgery issue
    from 0, < 5.15
  • MEDIUM5.0CVE-2026-40256Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
    from 0, < 5.17
  • MEDIUM5.0CVE-2026-34244Weblate: SSRF via Project-Level Machinery Configuration
    from 0, < 5.17
  • MEDIUM5.0CVE-2026-33440Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
    from 0, < 5.17
  • MEDIUM4.9CVE-2025-47951Weblate lacks rate limiting when verifying second factor
    from 0, < 5.12
  • MEDIUM4.6CVE-2026-45106Weblate: Stored HTML injection in editor search preview
    from 0, < 2026.5
  • MEDIUM4.4CVE-2024-39303Weblate vulnerable to improper sanitization of project backups
    >= 4.14, < 5.6.2
  • MEDIUM4.3CVE-2026-44264Weblate vulnerable to XSS via crafted Markdown
    from 0, < 5.17.1
  • MEDIUM4.3CVE-2026-44263Weblate Vulnerable to Private Translation Enumeration via Screenshot API
    from 0, < 5.17.1
  • MEDIUM4.3CVE-2026-33214Weblate: Improper access control for the translation memory in API
    from 0, < 5.17
  • MEDIUM4.3CVE-2026-33214Weblate: Improper access control for the translation memory in API
    from 0, < 5.17
  • MEDIUM4.3CVE-2026-27457Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
    from 0, < 5.16.1
  • MEDIUM4.3CVE-2025-67715Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
    from 0, < 5.15
  • MEDIUM4.3CVE-2025-67715Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
    from 0, < 5.15
  • MEDIUM4.2CVE-2026-41519Weblate Doesn't Invalidate API Token on Password Change
    from 0, < 5.17.1
  • MEDIUM4.1CVE-2026-39845Weblate: SSRF via the webhook add-on using unprotected fetch_url()
    from 0, < 5.17
  • MEDIUM4.1CVE-2026-39845Weblate: SSRF via the webhook add-on using unprotected fetch_url()
    from 0, < 5.17
  • LOW3.1CVE-2026-33212Weblate: Improper access control for pending tasks in API
    from 0, < 5.17
  • LOW2.6CVE-2025-64326Weblate leaks the IP of project member inviting user to be reviewer in Audit log
    from 0, < 5.14.1
  • LOW2.6CVE-2025-64326Weblate leaks the IP of project member inviting user to be reviewer in Audit log
    from 0, < 5.14.1
  • LOW2.2CVE-2025-32021VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
    from 0, < 5.11
  • LOW2.2CVE-2025-32021VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
    from 0, < 5.11
  • CVE-2026-41654Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url
    from 0, < 5.17.1
  • CVE-2026-21889Weblate leaks information via screenshots
    from 0, < 5.15.2
  • CVE-2025-64725Weblate has improper validation upon invitation acceptance
    from 0, < 5.15
  • CVE-2025-58352Weblate has a long session expiry when verifying second factor
    from 0, < 5.13.1