CVE-2026-41654

UNKNOWN 0.0

Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1.

CWE	CWE-20 CWE-918
Vendor	weblateorg
Product	weblate
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for weblateorg weblate

Be the first to know when new unknown vulnerabilities affecting weblateorg weblate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WeblateOrg / weblate

< 5.17.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g github.com: https://github.com/WeblateOrg/weblate/pull/19061 github.com: https://github.com/WeblateOrg/weblate/pull/19062 github.com: https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0 github.com: https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14 github.com: https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1