pkg:PyPI/weblate

All known vulnerabilities

• CRITICAL9.1CVE-2025-68398Weblate is vulnerable to RCE through Git config file overwrite
  from 0, < 5.15.1
• HIGH8.8CVE-2026-34393Weblate: Privilege escalation in the user API endpoint
  from 0, < 5.17
• HIGH8.8Weblate: Privilege escalation in the user API endpoint
  from 0, < 5.17
• HIGH8.8Duplicate Advisory: Command injection in Weblate
  from 0, < 4.11.1
• HIGH8.8Duplicate Advisory: Command injection in Weblate
  from 0, < 4.11.1
• HIGH8.8Duplicate Advisory: Command injection in Weblate
  from 0, < 35d59f1f040541c358cece0a8d4a63183ca919b8, < d83672a3e7415da1490334e2c9431e5da1966842 | from 0, < 4.11.1
• HIGH8.8Duplicate Advisory: Command injection in Weblate
  from 0, < 4.11.1
• HIGH8.0Weblate: Remote code execution during backup restoration
  from 0, < 5.17
• HIGH8.0Weblate: Remote code execution during backup restoration
  from 0, < 5.17
• HIGH7.7Weblate: Arbitrary File Read via Symlink
  from 0, < 5.17
• HIGH7.7Weblate has an arbitrary file read via symbolic links
  from 0, < 5.15.1
• MEDIUM6.8Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
  from 0, < 5.17
• MEDIUM6.8Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
  from 0, < 5.17
• MEDIUM6.6Weblate has an argument injection in management console
  from 0, < 5.16.0
• MEDIUM5.4Cross-site Scripting in Weblate
  from 0, < 4.11
• MEDIUM5.4Cross-site Scripting in Weblate
  from 0, < f6753a1a1c63fade6ad418fbda827c6750ab0bda, < 9e19a8414337692cc90da2a91c9af5420f2952f1, < 22d577b1f1e88665a88b4569380148030e0f8389 | from 0, < 4.11
• MEDIUM5.3Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
  from 0, < 5.15
• MEDIUM5.3Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
  from 0, < 5.15
• MEDIUM5.3Weblate exposes personal IP address via e-mail
  from 0, < 5.12
• MEDIUM5.3Weblate user account enumeration via reset password form
  from 0, < 2.10.1
• MEDIUM5.3Weblate user account enumeration via reset password form
  from 0, < abe0d2a29a1d8e896bfe829c8461bf8b391f1079 | from 0, < 2.10.1
• MEDIUM5.0Weblate has a Server-Side Request Forgery issue
  from 0, < 5.15
• MEDIUM5.0Weblate has a Server-Side Request Forgery issue
  from 0, < 5.15
• MEDIUM5.0Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
  from 0, < 5.17
• MEDIUM5.0Weblate: SSRF via Project-Level Machinery Configuration
  from 0, < 5.17
• MEDIUM5.0Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
  from 0, < 5.17
• MEDIUM4.9Weblate lacks rate limiting when verifying second factor
  from 0, < 5.12
• MEDIUM4.6Weblate: Stored HTML injection in editor search preview
  from 0, < 2026.5
• MEDIUM4.4Weblate vulnerable to improper sanitization of project backups
  >= 4.14, < 5.6.2
• MEDIUM4.3Weblate vulnerable to XSS via crafted Markdown
  from 0, < 5.17.1
• MEDIUM4.3Weblate Vulnerable to Private Translation Enumeration via Screenshot API
  from 0, < 5.17.1
• MEDIUM4.3Weblate: Improper access control for the translation memory in API
  from 0, < 5.17
• MEDIUM4.3Weblate: Improper access control for the translation memory in API
  from 0, < 5.17
• MEDIUM4.3Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
  from 0, < 5.16.1
• MEDIUM4.3Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
  from 0, < 5.15
• MEDIUM4.3Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
  from 0, < 5.15
• MEDIUM4.2Weblate Doesn't Invalidate API Token on Password Change
  from 0, < 5.17.1
• MEDIUM4.1Weblate: SSRF via the webhook add-on using unprotected fetch_url()
  from 0, < 5.17
• MEDIUM4.1Weblate: SSRF via the webhook add-on using unprotected fetch_url()
  from 0, < 5.17
• LOW3.1Weblate: Improper access control for pending tasks in API
  from 0, < 5.17
• LOW2.6Weblate leaks the IP of project member inviting user to be reviewer in Audit log
  from 0, < 5.14.1
• LOW2.6Weblate leaks the IP of project member inviting user to be reviewer in Audit log
  from 0, < 5.14.1
• LOW2.2VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
  from 0, < 5.11
• LOW2.2VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
  from 0, < 5.11
• —Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url
  from 0, < 5.17.1
• —Weblate leaks information via screenshots
  from 0, < 5.15.2
• —Weblate has improper validation upon invitation acceptance
  from 0, < 5.15
• —Weblate has a long session expiry when verifying second factor
  from 0, < 5.13.1