Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
Weblate translation memory API exposes sensitive data to unauthorized users
CVE-2026-33220
GHSA-mqph-7h49-hqfm
Summary
Weblate's translation memory API in versions prior to 5.17 doesn't control who can access certain data. If you're using an outdated version, you may be exposing sensitive information. Update to version 5.17 or disable the feature if an update isn't possible.
What to do
- Update weblate to version 5.17.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | weblate |
< 5.17 Fix: upgrade to 5.17
|
Original title
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been...
Original description
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
nvd CVSS3.1
6.8
Vulnerability type
CWE-22
Path Traversal
CWE-200
Information Exposure
Published: 15 Apr 2026 · Updated: 17 Apr 2026 · First seen: 15 Apr 2026