Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0415

NIXPKGS-2026-0415
published on
Permalink CVE-2026-27457
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    6 packages
    • python312Packages.weblate-schemas
    • python313Packages.weblate-schemas
    • python314Packages.weblate-schemas
    • python312Packages.weblate-language-data
    • python313Packages.weblate-language-data
    • python314Packages.weblate-language-data
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.

Affected products

weblate
  • ==< 5.16.1

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

Ignored packages (6)

Package maintainers

Upstream advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv
Upstream patches:
* https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9
* https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f