Description
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
Published: 2026-04-15
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Local File Read
Action: Patch Now
AI Analysis

Impact

In Weblate versions below 5.17, the translation memory API exposed unintended endpoints that did not enforce proper access control. An attacker can abuse these endpoints to read any local file on the server, including files outside the project repository. This allows the disclosure of sensitive data and represents a confidentiality compromise.

Affected Systems

The flaw is present in all Weblate installations from WeblateOrg that run versions earlier than 5.17. It is specifically tied to the CDN add‑on, a feature that is not enabled by default but can be activated by administrators.

Risk and Exploitability

The CVSS score of 6.8 reflects a moderate severity, with a missing EPSS score and no presence in the KEV catalog. The vulnerability can be exploited by users who are able to reach the exposed API endpoints, which may include authenticated users or any user with network access to the web application. Because the attack bypasses access controls, an attacker can read arbitrary files on the host machine. Mitigation requires an update or disabling of the add‑on to block the vulnerable endpoints.

Generated by OpenCVE AI on April 15, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Weblate to version 5.17 or later, which removes the exposed endpoints and enforces proper access control.
  • If an upgrade cannot be performed immediately, configure the CDN add‑on to be disabled so that the vulnerable feature remains inactive.
  • Verify that the translation memory API endpoints are no longer reachable without proper authorization and monitor logs for any anomalous access attempts.

Generated by OpenCVE AI on April 15, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqph-7h49-hqfm Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
Title Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
Weaknesses CWE-200
CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T14:10:15.340Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33220

cve-icon Vulnrichment

Updated: 2026-04-16T14:10:05.870Z

cve-icon NVD

Status : Received

Published: 2026-04-15T19:16:35.130

Modified: 2026-04-15T19:16:35.130

Link: CVE-2026-33220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:36Z

Weaknesses