MEDIUM 5.3

PYSEC-2025-232

Details

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate

Introduced in: 0 Fixed in: 5.15

Fix pip install --upgrade 'weblate>=5.15'

References

https://github.com/WeblateOrg/weblate/pull/17221 [FIX]
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf [FIX]