Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-33220
6.8 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Activity log
- Created suggestion
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
References
-
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm x_refsource_CONFIRM
-
https://github.com/WeblateOrg/weblate/pull/18516 x_refsource_MISC
Affected products
weblate
- ==< 5.17
Matching in nixpkgs
pkgs.weblate
Web based translation tool with tight version control integration
pkgs.python313Packages.weblate-fonts
Weblate fonts collection
pkgs.python314Packages.weblate-fonts
Weblate fonts collection
pkgs.python312Packages.weblate-schemas
Schemas used by Weblate
pkgs.python313Packages.weblate-schemas
Schemas used by Weblate
pkgs.python314Packages.weblate-schemas
Schemas used by Weblate
pkgs.python312Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python313Packages.weblate-language-data
Language definitions used by Weblate
pkgs.python314Packages.weblate-language-data
Language definitions used by Weblate
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@erictapen Kerstin Humm <kerstin@erictapen.name>