| CVE-2026-41654 |
high |
8.1 |
8.1 |
|
|
|
22d ago |
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url |
| CVE-2025-66407 |
medium |
— |
5.5 |
|
|
|
3d ago |
Weblate has a Server-Side Request Forgery issue |
| CVE-2026-45106 |
medium |
— |
5.5 |
|
|
|
14d ago |
Weblate: Stored HTML injection in editor search preview |
| CVE-2026-41519 |
medium |
5.4 |
5.4 |
|
|
|
29d ago |
Weblate Doesn't Invalidate API Token on Password Change |
| CVE-2017-5537 |
medium |
5.3 |
5.3 |
|
|
|
9y ago |
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate use… |
| CVE-2026-44263 |
medium |
4.3 |
4.3 |
|
|
|
22d ago |
Weblate Vulnerable to Private Translation Enumeration via Screenshot API |
| CVE-2026-44264 |
medium |
4.3 |
4.3 |
|
|
|
23d ago |
Weblate vulnerable to XSS via crafted Markdown |
| CVE-2026-40256 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision |
| CVE-2026-39845 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable … |
| CVE-2026-34393 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17. |
| CVE-2026-34244 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate: SSRF via Project-Level Machinery Configuration |
| CVE-2026-34242 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate: Arbitrary File Read via Symlink |
| CVE-2026-33440 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads |
| CVE-2026-33435 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain cir… |
| CVE-2026-33220 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been f… |
| CVE-2026-33214 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been f… |
| CVE-2026-33212 |
unknown |
— |
— |
|
|
|
1mo ago |
Weblate: Improper access control for pending tasks in API |
| CVE-2026-27457 |
unknown |
— |
— |
|
|
|
3mo ago |
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations |
| CVE-2026-24126 |
unknown |
— |
— |
|
|
|
3mo ago |
Weblate has an argument injection in management console |
| CVE-2026-21889 |
unknown |
— |
— |
|
|
|
5mo ago |
Weblate leaks information via screenshots |
| CVE-2025-68398 |
unknown |
— |
— |
|
|
|
5mo ago |
Weblate is vulnerable to RCE through Git config file overwrite |
| CVE-2025-68279 |
unknown |
— |
— |
|
|
|
5mo ago |
Weblate has an arbitrary file read via symbolic links |
| CVE-2025-67715 |
unknown |
— |
— |
|
|
|
6mo ago |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. |
| CVE-2025-67492 |
unknown |
— |
— |
|
|
|
6mo ago |
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. A… |
| CVE-2025-64725 |
unknown |
— |
— |
|
|
|
6mo ago |
Weblate has improper validation upon invitation acceptance |
| CVE-2025-64326 |
unknown |
— |
— |
|
|
|
7mo ago |
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP … |
| CVE-2025-58352 |
unknown |
— |
— |
|
|
|
9mo ago |
Weblate has a long session expiry when verifying second factor |
| CVE-2025-49134 |
unknown |
— |
— |
|
|
|
1y ago |
Weblate exposes personal IP address via e-mail |
| CVE-2025-47951 |
unknown |
— |
— |
|
|
|
1y ago |
Weblate lacks rate limiting when verifying second factor |
| CVE-2025-32021 |
unknown |
— |
— |
|
|
|
1y ago |
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is incl… |
| CVE-2024-39303 |
unknown |
— |
— |
|
|
|
2y ago |
Weblate vulnerable to improper sanitization of project backups |
| CVE-2022-24727 |
unknown |
— |
— |
|
|
|
4y ago |
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavi… |
| CVE-2022-23915 |
unknown |
— |
— |
|
|
|
4y ago |
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavi… |
| CVE-2022-24710 |
unknown |
— |
— |
|
|
|
4y ago |
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutr… |