48 Total advisories
48 Vulnerabilities
0 Malware
Vulnerabilities
MEDIUM 4.6
CVE-2026-45106
Weblate: Stored HTML injection in editor search preview
UNKNOWN
CVE-2017-5537
CVE-2017-5537
HIGH 7.5
CVE-2025-32021
CVE-2025-32021
LOW 2.2
CVE-2025-32021
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
MEDIUM 5.3
CVE-2025-67492
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
MEDIUM 4.3
CVE-2025-67715
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
HIGH 8.8
CVE-2026-34393
Weblate: Privilege escalation in the user API endpoint
HIGH 8.0
CVE-2026-33435
Weblate: Remote code execution during backup restoration
MEDIUM 6.8
CVE-2026-33220
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
MEDIUM 4.1
CVE-2026-39845
Weblate: SSRF via the webhook add-on using unprotected fetch_url()
MEDIUM 4.3
CVE-2026-33214
Weblate: Improper access control for the translation memory in API
LOW 2.6
CVE-2025-64326
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
MEDIUM 5.0
CVE-2025-66407
Weblate has a Server-Side Request Forgery issue
MEDIUM 4.1
CVE-2026-39845
CVE-2026-39845
HIGH 8.8
CVE-2026-34393
CVE-2026-34393
HIGH 8.0
CVE-2026-33435
CVE-2026-33435
MEDIUM 6.8
CVE-2026-33220
CVE-2026-33220
MEDIUM 4.3
CVE-2026-33214
CVE-2026-33214
MEDIUM 4.3
CVE-2025-67715
CVE-2025-67715
MEDIUM 5.3
CVE-2025-67492
CVE-2025-67492
MEDIUM 5.0
CVE-2025-66407
CVE-2025-66407
LOW 3.5
CVE-2025-64326
CVE-2025-64326
MEDIUM 4.2
CVE-2026-41519
Weblate Doesn't Invalidate API Token on Password Change
UNKNOWN
CVE-2026-41654
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url
MEDIUM 4.3
CVE-2026-44264
Weblate vulnerable to XSS via crafted Markdown
MEDIUM 4.3
CVE-2026-44263
Weblate Vulnerable to Private Translation Enumeration via Screenshot API
MEDIUM 5.0
CVE-2026-40256
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
MEDIUM 5.0
CVE-2026-34244
Weblate: SSRF via Project-Level Machinery Configuration
HIGH 7.7
CVE-2026-34242
Weblate: Arbitrary File Read via Symlink
MEDIUM 5.0
CVE-2026-33440
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
LOW 3.1
CVE-2026-33212
Weblate: Improper access control for pending tasks in API
MEDIUM 4.3
CVE-2026-27457
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
MEDIUM 6.6
CVE-2026-24126
Weblate has an argument injection in management console
CRITICAL 9.1
CVE-2025-68398
Weblate is vulnerable to RCE through Git config file overwrite
UNKNOWN
CVE-2022-23915
Duplicate Advisory: Command injection in Weblate
UNKNOWN
CVE-2026-21889
Weblate leaks information via screenshots
HIGH 7.7
CVE-2025-68279
Weblate has an arbitrary file read via symbolic links
UNKNOWN
CVE-2025-64725
Weblate has improper validation upon invitation acceptance
UNKNOWN
CVE-2025-58352
Weblate has a long session expiry when verifying second factor
MEDIUM 5.3
CVE-2025-49134
Weblate exposes personal IP address via e-mail
MEDIUM 4.9
CVE-2025-47951
Weblate lacks rate limiting when verifying second factor
MEDIUM 4.4
CVE-2024-39303
Weblate vulnerable to improper sanitization of project backups
HIGH 8.8
CVE-2022-23915
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
MEDIUM 5.4
CVE-2022-24710
Cross-site Scripting in Weblate
MEDIUM 5.3
CVE-2017-5537
Weblate user account enumeration via reset password form
UNKNOWN
CVE-2022-24710
CVE-2022-24710
UNKNOWN
CVE-2022-23915
CVE-2022-23915
UNKNOWN
CVE-2022-23915
CVE-2022-23915
Ready to move
Start Securing
Free, no credit card | First findings in minutes