Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-33214
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): NONE
Activity log
- Created suggestion
Weblate has improper access control for the translation memory API
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
References
-
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r x_refsource_CONFIRM
-
https://github.com/WeblateOrg/weblate/pull/18513 x_refsource_MISC
Affected products
weblate
- ==< 5.17
Matching in nixpkgs
pkgs.weblate
Web based translation tool with tight version control integration
pkgs.python313Packages.weblate-fonts
Weblate fonts collection
pkgs.python314Packages.weblate-fonts
Weblate fonts collection
pkgs.python312Packages.weblate-schemas
Schemas used by Weblate
pkgs.python313Packages.weblate-schemas
Schemas used by Weblate
pkgs.python314Packages.weblate-schemas
Schemas used by Weblate
pkgs.python312Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python313Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python314Packages.weblate-language-data
Language definitions used by Weblate
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@erictapen Kerstin Humm <kerstin@erictapen.name>