Suggestions search

All statuses

Filter by:

With package: python314Packages.weblate-schemas

Found 13 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-27457

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/18107 x_refsource_MISC
https://github.com/WeblateOrg/weblate/pull/18164 x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9 x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f x_refsource_MISC
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1 x_refsource_MISC

Affected products

weblate

==< 5.16.1

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

nixos-unstable 5.15.2
- nixpkgs-unstable 5.15.2
- nixos-unstable-small 5.15.2
nixos-25.11 5.15.1
- nixos-25.11-small 5.15.1
- nixpkgs-25.11-darwin 5.15.1

pkgs.python312Packages.weblate-schemas

Schemas used by Weblate

nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python313Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6
nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python314Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6

pkgs.python312Packages.weblate-language-data

Language definitions used by Weblate

nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python313Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.2
- nixpkgs-unstable 2026.2
- nixos-unstable-small 2026.2
nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python314Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.2
- nixpkgs-unstable 2026.2
- nixos-unstable-small 2026.2

Package maintainers

@erictapen Kerstin Humm <kerstin@erictapen.name>

Untriaged

Permalink CVE-2026-24126

6.6 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 2 months ago Activity log

Created suggestion 2 months ago

Weblate has an argument injection in management console

Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management console.

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47 x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/17722 x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/78773cc141ce0a97900c11341e6cf856451395fd x_refsource_MISC

Affected products

weblate

==< 5.16.0

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

nixos-unstable 5.15.2
- nixpkgs-unstable 5.15.2
- nixos-unstable-small 5.15.2
nixos-25.11 5.15.1
- nixos-25.11-small 5.15.1
- nixpkgs-25.11-darwin 5.15.1

pkgs.python312Packages.weblate-schemas

Schemas used by Weblate

nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python313Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6
nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python314Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6

pkgs.python312Packages.weblate-language-data

Language definitions used by Weblate

nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python313Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.1
- nixpkgs-unstable 2026.2
- nixos-unstable-small 2026.2
nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python314Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.1
- nixpkgs-unstable 2026.2
- nixos-unstable-small 2026.2

Package maintainers

@erictapen Kerstin Humm <kerstin@erictapen.name>

Untriaged

Permalink CVE-2025-68398

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Weblate has git config file overwrite vulnerability that leads to remote code execution

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.