Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1132

NIXPKGS-2026-1132

GitHub issue published on

Permalink CVE-2026-34244

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

updated 8 hours ago by @LeSuisse Activity log

Created automatic suggestion 13 hours ago
@LeSuisse ignored
8 packages
- python314Packages.weblate-language-data
- python313Packages.weblate-language-data
- python314Packages.weblate-schemas
- python312Packages.weblate-schemas
- python314Packages.weblate-fonts
- python313Packages.weblate-fonts
- python313Packages.weblate-schemas
- python312Packages.weblate-language-data
9 hours ago
@LeSuisse accepted 9 hours ago
@LeSuisse published on GitHub 8 hours ago

Weblate: SSRF via Project-Level Machinery Configuration

Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-xrwr-fcw6-fmq8 x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/commit/e619e9090202e4886b844c110d39308e7e882c0e x_refsource_MISC

Affected products

weblate

==< 517

Matching in nixpkgs

pkgs.weblate

Web based translation tool with tight version control integration

nixos-unstable 5.16.2
- nixpkgs-unstable 5.16.2
- nixos-unstable-small 5.16.2
nixos-25.11 5.15.1
- nixos-25.11-small 5.15.1
- nixpkgs-25.11-darwin 5.15.1

Ignored packages (8)

pkgs.python313Packages.weblate-fonts

Weblate fonts collection

nixos-unstable 2026.1
- nixpkgs-unstable 2026.1
- nixos-unstable-small 2026.1

pkgs.python314Packages.weblate-fonts

Weblate fonts collection

nixos-unstable 2026.1
- nixpkgs-unstable 2026.1
- nixos-unstable-small 2026.1

pkgs.python312Packages.weblate-schemas

Schemas used by Weblate

nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python313Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6
nixos-25.11 2025.6
- nixos-25.11-small 2025.6
- nixpkgs-25.11-darwin 2025.6

pkgs.python314Packages.weblate-schemas

Schemas used by Weblate

nixos-unstable 2025.6
- nixpkgs-unstable 2025.6
- nixos-unstable-small 2025.6

pkgs.python312Packages.weblate-language-data

Language definitions used by Weblate

nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python313Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.7
- nixpkgs-unstable 2026.7
- nixos-unstable-small 2026.7
nixos-25.11 2025.10
- nixos-25.11-small 2025.10
- nixpkgs-25.11-darwin 2025.10

pkgs.python314Packages.weblate-language-data

Language definitions used by Weblate

nixos-unstable 2026.7
- nixpkgs-unstable 2026.7
- nixos-unstable-small 2026.7

Package maintainers

@erictapen Kerstin Humm <kerstin@erictapen.name>