threat
engine
.sh
Back
·
··:··
Home
/
Product
/
weblate
Product
weblate
37 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-42150
< 2.0.0
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API re
5.1
MEDIUM
CVE-2026-44264
< 5.17.1
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-prov
4.3
MEDIUM
CVE-2026-44263
< 5.17.1
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the
4.3
MEDIUM
CVE-2026-41654
< 5.17.1
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on h
8.1
HIGH
CVE-2026-41519
< 5.17.1
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correc
4.2
MEDIUM
CVE-2026-40256
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks
5.0
MEDIUM
CVE-2026-39845
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections.
4.1
MEDIUM
CVE-2026-34393
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scop
8.8
HIGH
CVE-2026-34244
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-p
5.0
MEDIUM
CVE-2026-34242
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, pote
7.7
HIGH
CVE-2026-33440
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first i
5.0
MEDIUM
CVE-2026-33435
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configurat
8.0
HIGH
CVE-2026-33220
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, whic
6.8
MEDIUM
CVE-2026-33214
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, whic
4.3
MEDIUM
CVE-2026-33212
< 5.17
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. Th
3.1
LOW
CVE-2026-27457
< 5.16.1
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's
AddonViewSet
(
weblate/api/views.py
, line 283
4.3
MEDIUM
CVE-2026-24126
< 5.16
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while addi
6.6
MEDIUM
CVE-2026-23535
< 1.17.2
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an a
8.0
HIGH
CVE-2026-21889
< 5.15.2
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without p
7.5
HIGH
CVE-2026-22251
< 1.17.0
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the s
5.3
MEDIUM
CVE-2026-22250
< 1.17.0
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some cra
2.5
LOW
CVE-2025-68398
< 5.15.1
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and
9.1
CRITICAL
CVE-2025-68279
< 5.15.1
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server fil
7.7
HIGH
CVE-2025-67715
< 5.15
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or lis
4.3
MEDIUM
CVE-2025-67492
< 5.15
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many reposi
5.3
MEDIUM
CVE-2025-66407
< 5.15
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new transla
5.0
MEDIUM
CVE-2025-64725
< 5.15
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different
9.8
CRITICAL
CVE-2025-64326
< 5.14.1
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting
2.6
LOW
CVE-2025-61587
< 5.13.3
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.
6.1
MEDIUM
CVE-2025-58352
< 5.13.1
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry durin
6.5
MEDIUM
CVE-2025-49134
< 5.12
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the a
5.3
MEDIUM
CVE-2025-47951
< 5.12
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate lim
4.9
MEDIUM
CVE-2025-32021
< 5.11
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has
2.2
LOW
CVE-2024-39303
>= 4.14 and < 5.6.2
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring proje
4.4
MEDIUM
CVE-2022-23915
< 4.11.1
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git o
7.2
HIGH
CVE-2022-24710
< 4.11
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user in
5.4
MEDIUM
CVE-2017-5537
<= 2.10
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is assoc
5.3
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin