CVE-2026-21889

low

Description

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385

https://github.com/WeblateOrg/weblate/pull/17516

https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47

Details

Source: Mitre, NVD

Published: 2026-01-14

Updated: 2026-01-23

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 2.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Severity: Low

EPSS

EPSS: 0.00045