Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

WeblateOrg — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting WeblateOrg. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WeblateOrg operates a web-based continuous localization system designed to manage translation projects for software development teams. Its core function involves integrating with version control systems to streamline the translation workflow, making it a critical infrastructure component for many open-source and commercial projects. Security audits have identified thirty recorded Common Vulnerabilities and Exposures (CVEs), predominantly involving cross-site scripting (XSS), SQL injection, and improper access control mechanisms. These flaws often stem from insufficient input validation and weak session management practices within the application’s API and administrative interfaces. While no widespread data breaches have been publicly confirmed, the high volume of vulnerabilities suggests a history of inconsistent security patching. The platform’s reliance on complex integrations with external repositories increases its attack surface, requiring diligent maintenance to mitigate risks associated with privilege escalation and remote code execution attempts.

Top products by WeblateOrg: weblate wlc
CVE IDTitleCVSSSeverityPublished
CVE-2026-42150 wlc: print_html outputs API data without HTML escaping, enabling stored XSS — wlcCWE-79 5.1 Medium2026-05-08
CVE-2026-44264 Weblate is vulnerable to XSS via crafted Markdown — weblateCWE-80 4.3 Medium2026-05-07
CVE-2026-44263 Weblate: Private Translation Enumeration via Screenshot API — weblateCWE-203 4.3 Medium2026-05-07
CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change — weblateCWE-613 4.2 Medium2026-05-07
CVE-2026-41654 Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url — weblateCWE-20 8.1 -2026-05-07
CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision — weblateCWE-22 5.0 Medium2026-04-15
CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url() — weblateCWE-918 4.1 Medium2026-04-15
CVE-2026-34393 Weblate: Privilege escalation in the user API endpoint — weblateCWE-269 8.8 High2026-04-15
CVE-2026-34244 Weblate: SSRF via Project-Level Machinery Configuration — weblateCWE-200 5.0 Medium2026-04-15
CVE-2026-34242 Weblate: Arbitrary File Read via Symlink — weblateCWE-22 7.7 High2026-04-15
CVE-2026-33440 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads — weblateCWE-918 5.0 Medium2026-04-15
CVE-2026-33435 Weblate: Remote code execution during backup restoration — weblateCWE-23 8.1 High2026-04-15
CVE-2026-33220 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository — weblateCWE-22 6.8 Medium2026-04-15
CVE-2026-33214 Weblate has improper access control for the translation memory API — weblateCWE-862 4.3 Medium2026-04-15
CVE-2026-33212 Weblate: Improper access control for pending tasks in API — weblateCWE-284 3.1 Low2026-04-15
CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations — weblateCWE-862 4.3 Medium2026-02-26
CVE-2026-24126 Weblate has an argument injection in management console — weblateCWE-88 6.6 Medium2026-02-18
CVE-2026-23535 wlc Path traversal: Unsanitized API slugs in download command — wlcCWE-22 8.1 High2026-01-16
CVE-2026-21889 Weblate leaks information via screenshots — weblateCWE-284 5.3AIMediumAI2026-01-14
CVE-2026-22251 wlc may leak API keys due to an insecure API key configuration — wlcCWE-200 5.3 Medium2026-01-12
CVE-2026-22250 wlc can skip SSL verification — wlcCWE-295 2.5 Low2026-01-12
CVE-2025-68398 Weblate has git config file overwrite vulnerability that leads to remote code execution — weblateCWE-20 9.1 Critical2025-12-18
CVE-2025-68279 Weblate has an arbitrary file read via symbolic links — weblateCWE-22 7.7 High2025-12-18
CVE-2025-67715 Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) — weblateCWE-284 4.3 Medium2025-12-16
CVE-2025-67492 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration — weblateCWE-1286 5.3 Medium2025-12-16
CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability — weblateCWE-352 5.0 Medium2025-12-15
CVE-2025-64725 Weblate has improper validation upon invitation acceptance — weblateCWE-286 4.3AIMediumAI2025-12-15
CVE-2025-64326 Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log — weblateCWE-212 2.6 Low2025-11-06
CVE-2025-61587 Weblate integration with Anubis can lead to Open Redirect via redir parameter — weblateCWE-601 6.1 -2025-10-01
CVE-2025-58352 Weblate has long session expiry times during second factor verification — weblateCWE-613--AI2025-09-04

This page lists every published CVE security advisory associated with WeblateOrg. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.