CVE-2026-34244

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17

Description A user with the project.edit permission, granted by the per-project Administration role, can configure machine translation service URLs to point to arbitrary internal network addresses. During the validation of this configuration, the application performs an HTTP request to the specified URL and returns up to 200 characters of the response body within an error message. This allows for Server-Side Request Forgery (SSRF), which is a flaw where a server is tricked into making requests to an unintended location, combined with a partial response read.

Recommendations Update to version 5.17. Limit available machinery services via the WEBLATE MACHINERY setting.