Description
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
Published: 2026-05-07
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Weblate's public API endpoints for screenshots, tasks, and component links, allowing an authenticated or unauthenticated user to enumerate translations in projects that the user should not access. This leads to information disclosure of translation strings and project structure that can be used for further reconnaissance. The weakness is classified as CWE‑203, indicating an improper handling of sensitive information.

Affected Systems

Impactful for installations running Weblate versions prior to 5.17.1. The affected vendor is WeblateOrg, and the product is the Weblate localization platform. All deployments of the affected release that expose the screenshot, tasks, or component link API to users lacking proper project permissions are potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 places the flaw in the low‑to‑medium severity range, and EPSS data is not available, meaning no current measured exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw by sending requests to the screenshot API endpoint, bypassing access controls to glean available translations for restricted projects.

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.17.1 or later
  • Review and adjust user permissions so that only authorized users can access project translations
  • If upgrade is delayed, disable or restrict the screenshot, tasks, and component link API for private projects

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcg5-86jr-f7jg Weblate Vulnerable to Private Translation Enumeration via Screenshot API
History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
Title Weblate: Private Translation Enumeration via Screenshot API
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T15:02:08.282Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44263

cve-icon Vulnrichment

Updated: 2026-05-07T15:02:01.185Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:10.613

Modified: 2026-05-07T15:46:27.607

Link: CVE-2026-44263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses