Weblate, SSRF, CVE-2026-41654 (Moderate)

By /

Listen to this Post

How CVE-2026-41654 works:

An authenticated attacker with `project.add` permission (the default on Weblate SaaS and for any user with an active billing/trial plan) can upload a crafted project backup ZIP file. Inside that ZIP, the file `components/.json` contains an attacker-controlled `repo` URL that points to a private address (e.g., http://127.0.0.1:9999/`) or uses a non‑allow‑listed scheme such as `file://` orgit://. When the backup is imported, Weblate writes the component viaComponent.objects.bulk_create(

)[bash]<code>, which bypasses Django’s</code>full_clean()<code>. As a result, the `validate_repo_url` validator is never executed. The malicious URL is then written verbatim into `.git/config` by</code>configure_repo(pull=False)<code>, allowing the server to make arbitrary outbound requests. This creates a Server‑Side Request Forgery (SSRF) primitive that can be used to probe internal services, read local files via</code>file://`, and potentially access cloud metadata endpoints.

<h2 style="color: blue;">dailycve form:</h2>

Platform: Weblate
Version: <5.17.1
Vulnerability: SSRF
Severity: Moderate
date: 2026-04-30
<h2 style="color: blue;">Prediction: Expected 2026-04-30</h2>

<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>

Showing bash commands and codes related to the blog
[bash]
Check current Weblate version
weblate --version
Search for vulnerable version pattern in logs
grep -r "Component.objects.bulk_create" /path/to/weblate/

Exploit:

import zipfile, json
with zipfile.ZipFile("evil.zip", "w") as zf:
zf.writestr("components/evil.json",
json.dumps({"repo": "http://169.254.169.254/latest/meta-data/"}))

Protection from this CVE

Upgrade to Weblate 5.17.1 or later. If immediate upgrade is not possible, restrict project creation to only trusted users.

Impact

SSRF allows an authenticated attacker to interact with internal services (e.g., cloud metadata API, internal HTTP endpoints) and read arbitrary local files via the `file://` scheme, leading to information disclosure and potential lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top