HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-41654 — Weblate is a web based localization tool. Prior to version 5.17.1, an authentica...

·Source: NIST NVD

Updated:

Executive Summary

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/ .json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed sc

Analysis

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/ .json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. CVSS Score: 8.1. Published: 2026-05-07T15:16:07.907.

Indicators of Compromise (2)

CVE (1)
CVE-2026-41654
NVDMITRE CVE
URL (1)
http://127.0.0.1:9999/)
VirusTotalURLhaus
Source Attribution

Originally published by NIST NVD on May 7, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Deutsche Bank joins $120m funding round for crypto analytics firm Elliptic

Cryptocurrency and blockchain surveillance and analytics specialist Elliptic has raised $120 million in a Series D funding round led by One Peak, with participation from Nasdaq Ventures, Deutsche Bank and the British Business Bank.

Finextra
MEDIUMVulnerabilityNEW

Paybis secures MiCA and PSD2 licences

Paybis, a trusted cryptocurrency platform serving 7 million people, today joins a small club of global crypto platforms to have received authorisation as a Crypto Asset Service Provider (CASP) under the EU’s Markets in Crypto-Assets regulation (MiCA), alongside receiving a Payment Institution (PI) licence under PSD2 simultaneously, on the same day.

Finextra
CRITICALVulnerability

73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous Validation

Attackers can compromise systems in minutes while patching and response still take hours or days. Picus Security breaks down why autonomous validation is becoming critical for modern defense strategies. [...]

BleepingComputer