Server-Side Request Forgery Vulnerability in Weblate Localization Tool
CVE-2026-34244

5MEDIUM

Key Information:

Vendor: Weblateorg
Status: Weblate
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-34244?

Weblate, an online localization tool, contains a vulnerability that allows a user with project.edit permissions to set machine translation service URLs to arbitrary internal addresses. During the validation of these configurations, an HTTP request is made to the specified URL, which can lead to the disclosure of sensitive information through the response body. The vulnerability reflects up to 200 characters of the response back to the user, creating a potential attack vector. This issue has been addressed in version 5.17, and users are encouraged to upgrade their installations to mitigate risks. For those unable to upgrade immediately, it is possible to limit accessible machinery services through the WEBLATE_MACHINERY setting.

Affected Version(s)

weblate < 517

References

https://github.com/WeblateOrg/weblate/security/advisories...

x_refsource_CONFIRM

https://github.com/WeblateOrg/weblate/commit/e619e9090202...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34244 Data

JSON

Weblateorg

What is CVE-2026-34244?

Affected Version(s)

References

CVSS V3.1

Timeline