Description
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
Published: 2026-01-14
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via unauthenticated screenshot access
Action: Patch
AI Analysis

Impact

Weblate served screenshot images without access control in versions prior to 5.15.2, allowing an unauthenticated user to obtain screenshots by guessing the file name. The disclosed images may reveal sensitive internal content, leading to confidentiality loss. This weakness maps to improper access control (CWE‑284).

Affected Systems

Weblate, released by WeblateOrg, is affected in all versions earlier than 5.15.2. Users running those legacy releases are vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 2.3 reflects a low severity vulnerability. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need to guess or enumerate the screenshot file name to retrieve it, and no additional authentication or privilege is required.

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.15.2 or later, which includes the access control fix.
  • If an upgrade is not immediately feasible, configure the web server to protect the screenshots directory with authentication or access restrictions, or remove the directory from public access.
  • If upgrading or configuring the web server is impossible, disable screenshot generation in Weblate or delete existing screenshot files from the server.

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3g2f-4rjg-9385 Weblate leaks information via screenshots
History

Fri, 23 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 14 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
Title Weblate leaks information via screenshots
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T16:58:35.235Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21889

cve-icon Vulnrichment

Updated: 2026-01-14T16:58:31.320Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T17:16:07.940

Modified: 2026-01-23T14:49:52.287

Link: CVE-2026-21889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses