CVE-2026-41654

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1

Description An authenticated user with project.add permission can import a specially crafted project backup ZIP file. If the components/<name>.json file within the ZIP contains a repo URL pointing to a private address or uses a non-allow-listed scheme (such as file:// or git://), the system fails to validate it. This occurs because the software uses the Component.objects.bulk create([component])[0] function, which bypasses the full clean() method and the validate repo url validator. Consequently, the malicious URL is written directly into the .git/config file by the configure repo(pull=False) function.

Recommendations Update to version 5.17.1. Limit the number of users who have permission to create projects to reduce the risk of exploitation.