MEDIUM 4.1 PyPI
Weblate: SSRF via the webhook add-on using unprotected fetch_url()
GHSA-f8hv-g549-hwg2 · CVE-2026-39845 · PYSEC-2026-156
Published · Modified
Description
Impact
The webhook add-on did not utilize existing SSRF protection.
Patches
Workarounds
Disabling the add-on would avoid misusing this.
References
Thanks to @Lihfdgjr for reporting this via GitHub.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-39845
- WEB https://github.com/WeblateOrg/weblate/pull/18815
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-156.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes