CVE-2026-39845

MEDIUM

Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Title source: cna

Description

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround.

References (2)

[X_Refsource_Confirm] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2

[X_Refsource_Misc] https://github.com/WeblateOrg/weblate/pull/18815

Scores

CVSS v3 4.1

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

pypi/weblate 0 - 5.17PyPI

weblate/weblate < 5.17

WeblateOrg/weblate < 5.17

Published Apr 15, 2026

Tracked Since Apr 16, 2026