Primary

Context

Weblate Redirect Bypass Vulnerability in ALLOWED_ASSET_DOMAINS Setting

Vulnerability

Patched

A vulnerability exists in Weblate, a web-based localization tool, in versions prior to 5.17. The issue lies in the handling of the ALLOWED_ASSET_DOMAINS setting, which only applied to the initial request and failed to properly restrict redirects. This flaw could be exploited to bypass domain restrictions, potentially leading to an authenticated server-side request forgery (SSRF) vulnerability during screenshot URL uploads.

Impact

Exploitation of this vulnerability could allow authenticated users to bypass domain restrictions, leading to unauthorized redirects and potential SSRF attacks.

Reproduction

To reproduce this vulnerability, upload a screenshot via a URL that redirects from a domain not included in the ALLOWED_ASSET_DOMAINS setting. The upload will be accepted, and the redirect will not be blocked, demonstrating the bypass.

Remediation

Users can update to Weblate version 5.17 or later, where this issue has been fixed.

Added: Apr 15, 2026, 7:58 PM

Updated: Apr 15, 2026, 7:58 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.7

remediation

7.7

relevance

5.8

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.7

remediation

7.7

relevance

5.8

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Weblate Redirect Bypass Vulnerability in ALLOWED_ASSET_DOMAINS Setting

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Weblate

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating