— PyPI
PYSEC-2022-162 · BIT-weblate-2022-23915, CVE-2022-23915 Modified: 12/6/2023
package
PyPI / weblate
pkg:pypi/weblate
— PyPI
PYSEC-2022-31 · BIT-weblate-2022-23915, CVE-2022-23915 Modified: 12/6/2023
— PyPI
PYSEC-2022-35 · BIT-weblate-2022-24710, CVE-2022-24710 Modified: 12/6/2023
LOW 3.5 PyPI
PYSEC-2025-230 · CVE-2025-64326, GHSA-gr35-vpx2-qxhc Modified: 5/20/2026
MEDIUM 5.0 PyPI
PYSEC-2025-231 · CVE-2025-66407, GHSA-hfpv-mc5v-p9mm Modified: 5/20/2026
MEDIUM 5.3 PyPI
PYSEC-2025-232 · CVE-2025-67492, GHSA-pj86-258h-qrvf Modified: 5/20/2026
MEDIUM 4.3 PyPI
PYSEC-2025-233 · CVE-2025-67715, GHSA-3pmh-24wp-xpf4 Modified: 5/20/2026
HIGH 7.5 PyPI
PYSEC-2025-35 · CVE-2025-32021, GHSA-m67m-3p5g-cw9j Modified: 2/5/2026
MEDIUM 4.3 PyPI
PYSEC-2026-152 · CVE-2026-33214, GHSA-mpf5-3vph-q75r Modified: 5/20/2026
MEDIUM 6.8 PyPI
PYSEC-2026-153 · CVE-2026-33220, GHSA-mqph-7h49-hqfm Modified: 5/20/2026
HIGH 8.0 PyPI
PYSEC-2026-154 · CVE-2026-33435, GHSA-558g-h753-6m33 Modified: 5/20/2026
HIGH 8.8 PyPI
PYSEC-2026-155 · CVE-2026-34393, GHSA-3382-gw9x-477v Modified: 5/20/2026
MEDIUM 4.1 PyPI
PYSEC-2026-156 · CVE-2026-39845, GHSA-f8hv-g549-hwg2 Modified: 5/20/2026
HIGH 8.8 PyPI
GHSA-3382-gw9x-477v · CVE-2026-34393, PYSEC-2026-155 Weblate: Privilege escalation in the user API endpoint
Modified: 5/20/2026
MEDIUM 6.6 PyPI
GHSA-33fm-6gp7-4p47 · CVE-2026-24126 Weblate has an argument injection in management console
Modified: 2/22/2026
LOW PyPI
GHSA-377j-wj38-4728 · CVE-2025-58352 Weblate has a long session expiry when verifying second factor
Modified: 9/5/2025
HIGH 8.8 PyPI
GHSA-3872-f48p-pxqj · BIT-weblate-2022-23915, CVE-2022-23915 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
Modified: 11/19/2024
LOW PyPI
GHSA-3g2f-4rjg-9385 · CVE-2026-21889 Weblate leaks information via screenshots
Modified: 2/3/2026
MEDIUM 4.3 PyPI
GHSA-3pmh-24wp-xpf4 · CVE-2025-67715, PYSEC-2025-233 Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
Modified: 5/20/2026
MEDIUM 5.3 PyPI
GHSA-4qqf-9m5c-w2c5 · CVE-2025-49134 Weblate exposes personal IP address via e-mail
Modified: 7/16/2025
HIGH 8.0 PyPI
GHSA-558g-h753-6m33 · CVE-2026-33435, PYSEC-2026-154 Weblate: Remote code execution during backup restoration
Modified: 5/20/2026
MEDIUM 4.9 PyPI
GHSA-57jg-m997-cx3q · CVE-2025-47951 Weblate lacks rate limiting when verifying second factor
Modified: 6/16/2025
MEDIUM 4.3 PyPI
GHSA-5cmv-3rc4-7279 · CVE-2026-44264 Weblate vulnerable to XSS via crafted Markdown
Modified: 5/8/2026
MEDIUM 5.0 PyPI
GHSA-5fhx-9jwj-867m · CVE-2026-33440 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
Modified: 4/16/2026
MEDIUM 4.2 PyPI
GHSA-6j8j-4qp3-36p2 · CVE-2026-41519 Weblate Doesn't Invalidate API Token on Password Change
Modified: 5/8/2026
MEDIUM 5.4 PyPI
GHSA-6jp6-9rf9-gc66 · BIT-weblate-2022-24710, CVE-2022-24710 Cross-site Scripting in Weblate
Modified: 11/19/2024
MEDIUM 4.6 PyPI
GHSA-6wxc-8mgq-w26m · CVE-2026-45106 Weblate: Stored HTML injection in editor search preview
Modified: 5/15/2026
CRITICAL 9.1 PyPI
GHSA-8vcg-cfxj-p5m3 · CVE-2025-68398 Weblate is vulnerable to RCE through Git config file overwrite
Modified: 2/6/2026
MEDIUM PyPI
GHSA-cwcx-382v-8m9g · CVE-2026-41654 Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url
Modified: 5/8/2026
MEDIUM 4.1 PyPI
GHSA-f8hv-g549-hwg2 · CVE-2026-39845, PYSEC-2026-156 Weblate: SSRF via the webhook add-on using unprotected fetch_url()
Modified: 5/20/2026
MEDIUM 5.0 PyPI
GHSA-ffgh-3jrf-8wvh · CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Modified: 4/16/2026
HIGH 7.7 PyPI
GHSA-g925-f788-4jh7 · CVE-2025-68279 Weblate has an arbitrary file read via symbolic links
Modified: 12/20/2025
MEDIUM 4.3 PyPI
GHSA-gcg5-86jr-f7jg · CVE-2026-44263 Weblate Vulnerable to Private Translation Enumeration via Screenshot API
Modified: 5/8/2026
LOW 2.6 PyPI
GHSA-gr35-vpx2-qxhc · CVE-2025-64326, PYSEC-2025-126 Weblate leaks the IP of project member inviting user to be reviewer in Audit log
Modified: 5/20/2026
MEDIUM 5.0 PyPI
GHSA-hfpv-mc5v-p9mm · CVE-2025-66407, PYSEC-2025-231 Weblate has a Server-Side Request Forgery issue
Modified: 5/26/2026
HIGH 7.7 PyPI
GHSA-hv99-mxm5-q397 · CVE-2026-34242 Weblate: Arbitrary File Read via Symlink
Modified: 4/16/2026
MEDIUM 5.3 PyPI
GHSA-j24g-gm76-j829 · CVE-2017-5537, PYSEC-2017-42 Weblate user account enumeration via reset password form
Modified: 11/19/2024
MEDIUM 4.4 PyPI
GHSA-jfgp-674x-6q4p · CVE-2024-39303 Weblate vulnerable to improper sanitization of project backups
Modified: 11/21/2024
LOW 2.2 PyPI
GHSA-m67m-3p5g-cw9j · CVE-2025-32021, PYSEC-2025-35 VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
Modified: 2/4/2026
LOW PyPI
GHSA-m6hq-f4w9-qrjj · CVE-2025-64725 Weblate has improper validation upon invitation acceptance
Modified: 12/17/2025
MEDIUM 4.3 PyPI
GHSA-mpf5-3vph-q75r · CVE-2026-33214, PYSEC-2026-152 Weblate: Improper access control for the translation memory in API
Modified: 5/20/2026
MEDIUM 6.8 PyPI
GHSA-mqph-7h49-hqfm · CVE-2026-33220, PYSEC-2026-153 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
Modified: 5/20/2026
MEDIUM 5.3 PyPI
GHSA-pj86-258h-qrvf · CVE-2025-67492, PYSEC-2025-232 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Modified: 5/20/2026
LOW 3.1 PyPI
GHSA-vj45-x3pj-f4w4 · CVE-2026-33212 Weblate: Improper access control for pending tasks in API
Modified: 4/16/2026
MEDIUM 4.3 PyPI
GHSA-wppc-7cq7-cgfv · CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Modified: 2/28/2026
MEDIUM 5.0 PyPI
GHSA-xrwr-fcw6-fmq8 · CVE-2026-34244 Weblate: SSRF via Project-Level Machinery Configuration
Modified: 4/16/2026
— PyPI
PYSEC-2017-42 · CVE-2017-5537, GHSA-j24g-gm76-j829 Modified: 11/8/2023