CVE-2026-21889 | THREATINT

Description

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.

PUBLISHED Reserved 2026-01-05 | Published 2026-01-14 | Updated 2026-01-14 | Assigner GitHub_M

LOW: 2.3CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-284: Improper Access Control

Product status

< 5.15.2

affected

References

github.com/...eblate/security/advisories/GHSA-3g2f-4rjg-9385

github.com/WeblateOrg/weblate/pull/17516

github.com/...ommit/a6eb5fd0299780eca286be8ff187dc2d10feec47

cve.org (CVE-2026-21889)

nvd.nist.gov (CVE-2026-21889)

Download JSON