CVE-2026-34393 — Weblate: Privilege escalation in the user API endpoint

Description

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

How to fix CVE-2026-34393

To remediate CVE-2026-34393, upgrade the affected package to a fixed version below.

PyPI/weblate—upgrade to 5.17 or later
—upgrade to 5.17 or later

Is CVE-2026-34393 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.17
from 0, < 5.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-34393
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-155.yaml
WEBgithub.com/WeblateOrg/weblate/pull/18687