Weblate leaks information via screenshots

GHSA-3g2f-4rjg-9385 · CVE-2026-21889

Published Jan 14, 2026 · Modified Feb 3, 2026

Description

Impact

The screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename.

Patches

https://github.com/WeblateOrg/weblate/pull/17516

References

Thanks to Lukas May and Michael Leu for reporting this.

References

WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-21889
WEB https://github.com/WeblateOrg/weblate/pull/17516
WEB https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47
PACKAGE https://github.com/WeblateOrg/weblate

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes