Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Weblate — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in Weblate, with AI-generated Chinese analysis, references, and POCs.

This page documents vulnerability aggregation for the Weblate product, focusing on weaknesses identified by the Common Weakness Enumeration (CWE) framework. It serves as a centralized resource for tracking security issues specific to this open-source translation management platform. The content herein collects a comprehensive range of vulnerability types discovered within Weblate, including cross-site scripting, injection flaws, and improper access control mechanisms. The data covers public advisories and reported issues from its inception through recent releases, providing a longitudinal view of the software’s security posture over time. This approach ensures that both historical context and current threat landscapes are available for analysis, allowing stakeholders to observe how remediation efforts have evolved alongside new feature developments. Visitors to this page can effectively track vendor advisories to stay informed about critical patches and mitigation strategies released by the Weblate maintainers. It also offers a structured way to understand a specific weakness class by examining how it manifests within the product’s architecture, such as through user input handling or database interactions. Furthermore, users can look up a product’s vulnerability history to assess the frequency and severity of past incidents, aiding in risk assessment and compliance verification for organizations deploying this tool. This structured overview supports informed decision-making by presenting verified data without speculation, enabling developers and security teams to prioritize hardening measures based on actual evidence rather than theoretical risks. By consolidating these details, the page facilitates a clearer understanding of the security lifecycle for Weblate.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown CWE-80 4.3 Medium2026-05-07
CVE-2026-44263 Weblate: Private Translation Enumeration via Screenshot API CWE-203 4.3 Medium2026-05-07
CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change CWE-613 4.2 Medium2026-05-07
CVE-2026-41654 Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url CWE-20 8.1 -2026-05-07
CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision CWE-22 5.0 Medium2026-04-15
CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url() CWE-918 4.1 Medium2026-04-15
CVE-2026-34393 Weblate: Privilege escalation in the user API endpoint CWE-269 8.8 High2026-04-15
CVE-2026-34244 Weblate: SSRF via Project-Level Machinery Configuration CWE-200 5.0 Medium2026-04-15
CVE-2026-34242 Weblate: Arbitrary File Read via Symlink CWE-22 7.7 High2026-04-15
CVE-2026-33440 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads CWE-918 5.0 Medium2026-04-15
CVE-2026-33435 Weblate: Remote code execution during backup restoration CWE-23 8.1 High2026-04-15
CVE-2026-33220 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository CWE-22 6.8 Medium2026-04-15
CVE-2026-33214 Weblate has improper access control for the translation memory API CWE-862 4.3 Medium2026-04-15
CVE-2026-33212 Weblate: Improper access control for pending tasks in API CWE-284 3.1 Low2026-04-15
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations CWE-862 4.3 Medium2026-02-26
CVE-2026-24126 Weblate has an argument injection in management console CWE-88 6.6 Medium2026-02-18
CVE-2026-21889 Weblate leaks information via screenshots CWE-284 5.3AIMediumAI2026-01-14
CVE-2025-68398 Weblate has git config file overwrite vulnerability that leads to remote code execution CWE-20 9.1 Critical2025-12-18
CVE-2025-68279 Weblate has an arbitrary file read via symbolic links CWE-22 7.7 High2025-12-18
CVE-2025-67715 Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) CWE-284 4.3 Medium2025-12-16
CVE-2025-67492 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration CWE-1286 5.3 Medium2025-12-16
CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability CWE-352 5.0 Medium2025-12-15
CVE-2025-64725 Weblate has improper validation upon invitation acceptance CWE-286 4.3AIMediumAI2025-12-15
CVE-2025-64326 Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log CWE-212 2.6 Low2025-11-06
CVE-2025-61587 Weblate integration with Anubis can lead to Open Redirect via redir parameter CWE-601 6.1 -2025-10-01
CVE-2025-58352 Weblate has long session expiry times during second factor verification CWE-613--AI2025-09-04
CVE-2025-49134 Weblate exposes personal IP address via e-mail CWE-359 5.3AIMediumAI2025-06-16
CVE-2025-47951 Weblate lacks rate limiting when verifying second factor CWE-307 4.9 Medium2025-06-16
CVE-2025-32021 Weblate VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext CWE-598 2.2 Low2025-04-15
CVE-2024-39303 Weblate vulnerabler to improper sanitization of project backups CWE-73 4.4 Medium2024-07-01

All 32 known CVE vulnerabilities affecting Weblate with full Chinese analysis, references, and POCs where available.