{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34393", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-04-15T18:24:30.813Z", "dateUpdated": "2026-04-15T18:38:53.920Z"}, "containers": {"cna": {"title": "Weblate: Privilege escalation in the user API endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18687", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18687"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:24:30.813Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17."}], "source": {"advisory": "GHSA-3382-gw9x-477v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:38:44.703405Z", "id": "CVE-2026-34393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:38:53.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T18:38:44.703405Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:38:49.266Z"}}], "cna": {"title": "Weblate: Privilege escalation in the user API endpoint", "source": {"advisory": "GHSA-3382-gw9x-477v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18687", "name": "https://github.com/WeblateOrg/weblate/pull/18687", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:24:30.813Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34393", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:38:53.920Z", "dateReserved": "2026-03-27T13:45:29.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T18:24:30.813Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17."}], "id": "CVE-2026-34393", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:36.070", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/pull/18687"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-16T02:29:02.001559+00:00", "value": {"mitigation_remediation": ["Upgrade the Weblate installation to version 5.17 or later to apply the vendor\u2011supplied fix.", "If patching immediately is not feasible, restrict API access to only those users who absolutely require patching capabilities and remove or reduce permissions for anonymous or low\u2011privilege accounts.", "Review and harden authentication and authorization checks around the user patching API endpoint to ensure that scope limits are enforced before applying changes."], "summary": {"action": "Immediate Patch", "impact": "Privilege escalation"}, "threat_synthesis": {"affected_systems": "Weblate, a web\u2011based localization tool from WeblateOrg, is impacted. Any installation using Weblate prior to the 5.17 release is vulnerable, regardless of deployment environment. The issue was corrected in the 5.17 update.", "description_and_impact": "The vulnerability resides in the user patching API endpoint of Weblate, a web\u2011based localization platform provided by WeblateOrg. Prior to version 5.17 the endpoint did not correctly enforce scope limits, enabling a user to modify data beyond the intended boundaries. This flaw allows an attacker with API access to elevate privileges and potentially alter translation content or user configurations that should be protected, compromising the integrity of the platform. The flaw is identified as CWE\u2011269.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity level. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting no publicly known exploits at this time. The likely attack vector is through authenticated use of the API; an attacker that can authenticate to the Weblate instance can craft requests to the patching endpoint to gain unauthorized modification rights. No other special conditions are noted in the description, so any authenticated user who has API access is at potential risk until the issue is patched or mitigated."}}}}, "created": "2026-04-16T02:30:21.690109+00:00", "updated": "2026-04-16T09:12:28.179799+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}