{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T23:56:44.758","vulnerabilities":[{"cve":{"id":"CVE-2026-27457","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T22:20:48.133","lastModified":"2026-02-27T17:05:12.150","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue."},{"lang":"es","value":"Weblate es una herramienta de localización basada en web. Antes de la versión 5.16.1, el `AddonViewSet` de la API REST (`weblate/api/views.py`, línea 2831) utiliza `queryset = Addon.objects.all()` sin sobrescribir `get_queryset()` para limitar el alcance de los resultados por permisos de usuario. Esto permite a cualquier usuario autenticado (o usuarios anónimos si `REQUIRE_LOGIN` no está configurado) listar y recuperar TODOS los complementos en todos los proyectos y componentes a través de `GET /api/addons/` y `GET /api/addons/{id}/`. La versión 5.16.1 soluciona el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-862"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*","versionEndExcluding":"5.16.1","matchCriteriaId":"CFDB43E7-50FD-4502-A4AB-338C87AD180C"}]}]}],"references":[{"url":"https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WeblateOrg/weblate/pull/18107","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/WeblateOrg/weblate/pull/18164","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}