Weblate versions prior to 5.17 contain a flaw in the webhook add‑on that fails to invoke the platform’s SSRF protection mechanisms when performing outbound HTTP requests via fetch_url(). This results in Server‑Side Request Forgery, where an attacker can force Weblate to issue requests to arbitrary internal URLs, potentially exposing sensitive data or enabling further pivoting within the network. The vulnerability is classified as CWE‑918. The description does not indicate that expertise or special privileges beyond those granted to a user who can add or configure webhooks are necessary, so it is inferred that the attack likely requires at least user‑level access to the webhook configuration interface.

Any installation of Weblate using the webhook add‑on and operating on a version older than 5.17 is vulnerable. The affected product is Weblate (WeblateOrg:weblate). No additional sub‑product information is provided.

The CVSS score of 4.1 categorises the flaw as medium severity, suggesting the risk is moderate. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalogue, indicating it is not currently known to be widely exploited. Exploitation requires the ability to configure or trigger the webhook add‑on; whether authentication or elevated privileges are necessary is not explicitly stated in the description, so that detail remains uncertain. The likely attack vector involves interacting with the web application’s configuration interface or tampering with incoming webhook data to trigger a fetch_url() call to an attacker‑controlled endpoint.