HIGHCVE-2026-34393Published 2026-04-15Modified 2026-04-15CNA GitHub_M

CVE-2026-34393: Weblate: Privilege escalation in the user API endpoint

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

WeblateOrg / weblate
< 5.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v
https://github.com/WeblateOrg/weblate/pull/18687

Metrics