Weblate vulnerable to improper sanitization of project backups
Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file.
Advisories for Pypi/Weblate package
2024
2022
Weblate user account enumeration via reset password form
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
Command injection in Weblate
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-23915. Reason: This candidate is a reservation duplicate of CVE-2022-23915. Notes: All CVE users should reference CVE-2022-23915 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Improper Neutralization of Special Elements used in a Command ('Command Injection') in Weblate
Weblate didn't correctly sanitize some arguments passed to Git and Mercurial, which allowed changing their behavior in an unintended way.
Cross-site Scripting in Weblate
Due to improper neutralization, it was possible to perform cross-site scripting via crafted user and language names.