| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40256 | Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision | WeblateOrg | weblate | Medium | 5.0 | 2026-04-15 18:36:45 | Deep Dive |
| CVE-2026-39845 | Weblate: SSRF via the webhook add-on using unprotected fetch_url() | WeblateOrg | weblate | Medium | 4.1 | 2026-04-15 18:26:52 | Deep Dive |
| CVE-2026-34393 | Weblate: Privilege escalation in the user API endpoint | WeblateOrg | weblate | High | 8.8 | 2026-04-15 18:24:31 | Deep Dive |
| CVE-2026-34244 | Weblate: SSRF via Project-Level Machinery Configuration | WeblateOrg | weblate | Medium | 5.0 | 2026-04-15 18:22:43 | Deep Dive |
| CVE-2026-34242 | Weblate: Arbitrary File Read via Symlink | WeblateOrg | weblate | High | 7.7 | 2026-04-15 18:20:00 | Deep Dive |
| CVE-2026-33440 | Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads | WeblateOrg | weblate | Medium | 5.0 | 2026-04-15 18:15:13 | Deep Dive |
| CVE-2026-33435 | Weblate: Remote code execution during backup restoration | WeblateOrg | weblate | High | 8.0 | 2026-04-15 18:13:08 | Deep Dive |
| CVE-2026-33220 | Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository | WeblateOrg | weblate | Medium | 6.8 | 2026-04-15 18:03:41 | Deep Dive |
| CVE-2026-33214 | Weblate has improper access control for the translation memory API | WeblateOrg | weblate | Medium | 4.3 | 2026-04-15 17:51:47 | Deep Dive |
| CVE-2026-33212 | Weblate: Improper access control for pending tasks in API | WeblateOrg | weblate | Low | 3.1 | 2026-04-15 17:48:18 | Deep Dive |
| CVE-2026-27457 | Weblate: Missing access control for the AddonViewSet API exposes all addon configurations | WeblateOrg | weblate | Medium | 4.3 | 2026-02-26 21:56:03 | Deep Dive |
| CVE-2026-24126 | Weblate has an argument injection in management console | WeblateOrg | weblate | Medium | 6.6 | 2026-02-18 23:05:03 | Deep Dive |
| CVE-2026-21889 | Weblate leaks information via screenshots | WeblateOrg | weblate | - | - | 2026-01-14 16:28:30 | Deep Dive |
| CVE-2025-68398 | Weblate has git config file overwrite vulnerability that leads to remote code execution | WeblateOrg | weblate | Critical | 9.1 | 2025-12-18 23:00:58 | Deep Dive |
| CVE-2025-68279 | Weblate has an arbitrary file read via symbolic links | WeblateOrg | weblate | High | 7.7 | 2025-12-18 22:59:29 | Deep Dive |
| CVE-2025-67715 | Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) | WeblateOrg | weblate | Medium | 4.3 | 2025-12-16 00:07:43 | Deep Dive |
| CVE-2025-67492 | Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration | WeblateOrg | weblate | Medium | 5.3 | 2025-12-16 00:05:57 | Deep Dive |
| CVE-2025-66407 | Weblate has Server-Side Request Forgery vulnerability | WeblateOrg | weblate | Medium | 5.0 | 2025-12-15 23:36:26 | Deep Dive |
| CVE-2025-64725 | Weblate has improper validation upon invitation acceptance | WeblateOrg | weblate | - | - | 2025-12-15 20:21:07 | Deep Dive |
| CVE-2025-64326 | Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log | WeblateOrg | weblate | Low | 2.6 | 2025-11-06 20:55:18 | Deep Dive |