Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-27457
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-26 Feb, 2026 | 21:56
Updated At-26 Feb, 2026 | 21:56
Rejected At-
▼CVE Numbering Authority (CNA)
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.

Affected Products
Vendor
WeblateOrg
Product
weblate
Versions
Affected
  • < 5.16.1
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv
x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/18107
x_refsource_MISC
https://github.com/WeblateOrg/weblate/pull/18164
x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9
x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f
x_refsource_MISC
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1
x_refsource_MISC
Hyperlink: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/WeblateOrg/weblate/pull/18107
Resource:
x_refsource_MISC
Hyperlink: https://github.com/WeblateOrg/weblate/pull/18164
Resource:
x_refsource_MISC
Hyperlink: https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9
Resource:
x_refsource_MISC
Hyperlink: https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f
Resource:
x_refsource_MISC
Hyperlink: https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1
Resource:
x_refsource_MISC
Details not found