Description
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.
Published: 2026-04-15
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via redirect bypass for authenticated users
Action: Update to 5.17
AI Analysis

Impact

Weblate versions before 5.17 allow an authenticated user to trigger a Server‑Side Request Forgery by uploading a screenshot URL that redirects. The ALLOWED_ASSET_DOMAINS setting only applies to the initial request, so any subsequent redirects can reach arbitrary hosts. This flaw can be used to access internal network resources, read sensitive data, or potentially reach services that do not expose themselves externally. The vulnerability is classified as CWE‑918.

Affected Systems

The affected product is Weblate developed by WeblateOrg. All versions of Weblate prior to 5.17 are vulnerable. Versions 5.17 and later contain the fix that correctly enforces the asset domain restriction for all redirects.

Risk and Exploitability

The CVSS score for this issue is 5.0, reflecting moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated within Weblate, but once authenticated can inject arbitrary URLs that will be processed by the server. Because no external exploit is known and the impact is limited to internal resources, the overall risk is moderate, but the flaw remains significant for sites exposed to external contributors who can upload screenshots.

Generated by OpenCVE AI on April 15, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.17 or later to apply the official fix for the SSRF bypass.
  • If an upgrade is not immediately possible, configure the ALLOWED_ASSET_DOMAINS setting to include only trusted domains or IP ranges, thereby limiting the scope of asset uploads.
  • Consider disabling or strictly validating redirects in the asset upload processing to prevent future bypasses of domain restrictions.

Generated by OpenCVE AI on April 15, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5fhx-9jwj-867m Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
History

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.
Title Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T18:49:25.077Z

Reserved: 2026-03-19T18:45:22.438Z

Link: CVE-2026-33440

cve-icon Vulnrichment

Updated: 2026-04-15T18:49:12.319Z

cve-icon NVD

Status : Received

Published: 2026-04-15T19:16:35.447

Modified: 2026-04-15T19:16:35.447

Link: CVE-2026-33440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:32Z

Weaknesses