CVE-2026-41654

EPSS 0.37%
Veröffentlicht 07.05.2026 13:40:12
Zuletzt bearbeitet 11.05.2026 15:30:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Weblate ≫ Weblate Version < 5.17.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.288

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1

Release Notes

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g

Patch

Vendor Advisory

https://github.com/WeblateOrg/weblate/pull/19061

Patch

Issue Tracking

https://github.com/WeblateOrg/weblate/pull/19062

Patch

Issue Tracking

https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0

Patch

https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-41654

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41654

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41654

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41654