5.17.1
5.17
CVE-2026-34393 is a high-severity vulnerability affecting Weblate versions prior to 5.17. This issue stems from a lack of proper scope limitation within the user patching API endpoint. An attacker can leverage this to modify any translation within the Weblate instance, potentially compromising localization data and workflows. The vulnerability has been resolved in version 5.17.0.
The primary impact of CVE-2026-34393 is the unauthorized modification of translations within a Weblate instance. An attacker could inject malicious content, alter terminology, or introduce errors into localized materials. This could lead to reputational damage, legal liabilities, or functional issues for applications relying on the affected translations. The scope of the vulnerability is broad, as it allows modification of any translation regardless of project or language. This could impact a wide range of users and stakeholders involved in the localization process.
CVE-2026-34393 was publicly disclosed on 2026-04-15. Currently, there are no publicly known proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of exploitation and the potential impact.
Organizations utilizing Weblate for localization, particularly those with publicly accessible instances or those lacking robust access control configurations, are at risk. Shared hosting environments where multiple Weblate instances share resources are also particularly vulnerable.
• python / server:
# Check Weblate version
python3 -c 'import weblate; print(weblate.__version__)'• generic web:
# Check for exposed patching API endpoint
curl -I https://your-weblate-instance/api/patches/disclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34393 is to immediately upgrade Weblate to version 5.17.0 or later. If upgrading is not immediately feasible, consider implementing stricter access controls and authentication measures to limit access to the patching API endpoint. While not a complete solution, this can reduce the attack surface. Review Weblate's access control configuration to ensure only authorized users can modify translations. After upgrading, confirm the fix by attempting to access the patching API endpoint with an unauthorized user account and verifying that access is denied.
Actualice Weblate a la versión 5.17 o posterior para mitigar la vulnerabilidad de escalada de privilegios en el API de usuario. Esta actualización corrige la falta de restricciones adecuadas en el alcance de las ediciones, previniendo que usuarios no autorizados modifiquen datos sensibles.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34393 is a high-severity vulnerability in Weblate versions before 5.17, allowing unauthorized modification of translations due to insufficient scope limitations in the patching API.
Yes, if you are running Weblate versions 0.0.0 through 5.16, you are affected by this vulnerability and should upgrade immediately.
Upgrade Weblate to version 5.17.0 or later to resolve the vulnerability. If immediate upgrade is not possible, implement stricter access controls.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-34393, but the ease of exploitation warrants immediate attention.
Refer to the official Weblate security advisory for detailed information and updates: [https://weblate.org/security/](https://weblate.org/security/)
上传你的 requirements.txt 文件,立即知道是否受影响。