{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39845", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-15T18:26:51.706Z", "dateUpdated": "2026-04-15T20:01:56.793Z"}, "containers": {"cna": {"title": "Weblate: SSRF via the webhook add-on using unprotected fetch_url()", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18815", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18815"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:26:51.706Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround."}], "source": {"advisory": "GHSA-f8hv-g549-hwg2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T19:37:00.454275Z", "id": "CVE-2026-39845", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:01:56.793Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39845", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T19:37:00.454275Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T19:37:07.632Z"}}], "cna": {"title": "Weblate: SSRF via the webhook add-on using unprotected fetch_url()", "source": {"advisory": "GHSA-f8hv-g549-hwg2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18815", "name": "https://github.com/WeblateOrg/weblate/pull/18815", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:26:51.706Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39845", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:01:56.793Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T18:26:51.706Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "64AD3B80-D39E-4EAF-9CF8-B4D3C8A6C58A", "versionEndExcluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround."}], "id": "CVE-2026-39845", "lastModified": "2026-04-21T14:05:02.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:36.373", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/weblate/pull/18815"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-f8hv-g549-hwg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-15T22:12:48.897088+00:00", "value": {"mitigation_remediation": ["Update to Weblate 5.17 or newer, which includes the required SSRF protection in the webhook add\u2011on.", "If an upgrade cannot be performed immediately, disable the webhook add\u2011on entirely to eliminate the attack surface.", "Restrict outbound HTTP(S) traffic from the Weblate server to a minimal set of trusted destinations using firewall rules or network segmentation.", "Monitor Weblate logs for unusual outbound requests or webhook activity that could indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery enabling a malicious actor to direct the Weblate server to access arbitrary internal network resources"}, "threat_synthesis": {"affected_systems": "Any installation of Weblate using the webhook add\u2011on and operating on a version older than 5.17 is vulnerable. The affected product is Weblate (WeblateOrg:weblate). No additional sub\u2011product information is provided.", "description_and_impact": "Weblate versions prior to 5.17 contain a flaw in the webhook add\u2011on that fails to invoke the platform\u2019s SSRF protection mechanisms when performing outbound HTTP requests via fetch_url(). This results in Server\u2011Side Request Forgery, where an attacker can force Weblate to issue requests to arbitrary internal URLs, potentially exposing sensitive data or enabling further pivoting within the network. The vulnerability is classified as CWE\u2011918. The description does not indicate that expertise or special privileges beyond those granted to a user who can add or configure webhooks are necessary, so it is inferred that the attack likely requires at least user\u2011level access to the webhook configuration interface.", "risk_and_exploitability": "The CVSS score of 4.1 categorises the flaw as medium severity, suggesting the risk is moderate. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalogue, indicating it is not currently known to be widely exploited. Exploitation requires the ability to configure or trigger the webhook add\u2011on; whether authentication or elevated privileges are necessary is not explicitly stated in the description, so that detail remains uncertain. The likely attack vector involves interacting with the web application\u2019s configuration interface or tampering with incoming webhook data to trigger a fetch_url() call to an attacker\u2011controlled endpoint."}}}}, "created": "2026-04-15T22:15:15.711094+00:00", "updated": "2026-04-16T09:12:27.103860+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}