weblate

vweblate-2026.6 scope: weblate Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2d Documentation

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

continuous-localization crowdsourcing dcode-2025 django gettext i18n

+5 more

internationalization l10n localization python translation

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 2d

Outbound URL validation now blocks extra non‑public targets per GHSA-vmfc-9982-2m45; Django projects must add 'weblate.workspaces' to INSTALLED_APPS when upgrading.

Why it matters: The security fix prevents unintended external requests (GHSA severity 90). The breaking change requires immediate code update—add 'weblate.workspaces' to INSTALLED_APPS before upgrade to avoid runtime errors.

Summary

AI summary

Added REST API management for announcements, per‑language team memberships, cost estimates, OpenTelemetry tracing, and Workspaces to group related projects.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Outbound URL validation now rejects additional non-public targets (GHSA-vmfc-9982-2m45). Outbound URL validation now rejects additional non-public targets (GHSA-vmfc-9982-2m45). Source: llm_adapter@2026-06-01 Confidence: high	—
Breaking	High	'weblate.workspaces' must be added to INSTALLED_APPS during upgrade. 'weblate.workspaces' must be added to INSTALLED_APPS during upgrade. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature
Feature	Medium	Announcements can now be managed via Weblate’s REST API for specific project languages. Announcements can now be managed via Weblate’s REST API for specific project languages. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Team memberships can now be limited to selected languages for per‑user translation permissions. Team memberships can now be limited to selected languages for per‑user translation permissions. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Cost estimates added to translation reports. Cost estimates added to translation reports. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Optional OpenTelemetry tracing and Google Cloud Error Reporting added for backend requests and tasks. Optional OpenTelemetry tracing and Google Cloud Error Reporting added for backend requests and tasks. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Workspaces added to group related projects with scoped teams, defaults inheritance, and billing details when available. Workspaces added to group related projects with scoped teams, defaults inheritance, and billing details when available. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Medium	Docker containers can configure SAML security via WEBLATE_SAML_SECURITY_CONFIG and adjust supported formats with WEBLATE_ADD_FORMATS / WEBLATE_REMOVE_FORMATS. Docker containers can configure SAML security via WEBLATE_SAML_SECURITY_CONFIG and adjust supported formats with WEBLATE_ADD_FORMATS / WEBLATE_REMOVE_FORMATS. Source: llm_adapter@2026-06-01 Confidence: high	—
Performance	Medium	Inconsistent check performance improved on large projects. Inconsistent check performance improved on large projects. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix
Bugfix	Medium	Project‑language Announcements no longer appear across the whole project. Project‑language Announcements no longer appear across the whole project. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Low	POST /api/screenshots/ access checks hardened against private project enumeration. POST /api/screenshots/ access checks hardened against private project enumeration. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Registration‑attempt e‑mails now link to password reset for account setup completion. Registration‑attempt e‑mails now link to password reset for account setup completion. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Inviting new users links now work for signed‑in owners of the invited e‑mail address. Inviting new users links now work for signed‑in owners of the invited e‑mail address. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	String search supports changed_by:"” filter and combined change filters apply to same event. String search supports changed_by:"” filter and combined change filters apply to same event. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Gitea/Forgejo pull requests no longer reconfigure fork remotes to point at source repository. Gitea/Forgejo pull requests no longer reconfigure fork remotes to point at source repository. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Project and category language sessions keep strings grouped by component priority and show reliable switch warnings. Project and category language sessions keep strings grouped by component priority and show reliable switch warnings. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Engage page task links stay centered and display target translation language. Engage page task links stay centered and display target translation language. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Gettext POT update add‑ons rescan translations after committing updated POT/PO files. Gettext POT update add‑ons rescan translations after committing updated POT/PO files. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Git repositories correctly update branches when remote has same‑named tag. Git repositories correctly update branches when remote has same‑named tag. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Conflicting repository setup alerts now allow same‑branch direct pushes. Conflicting repository setup alerts now allow same‑branch direct pushes. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix	Low	Translation pages for workspace projects no longer crash when workspace fields are deferred. Translation pages for workspace projects no longer crash when workspace fields are deferred. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Refactor	Low	Obsolete cleanup schedules removed from Celery beat during upgrade. Obsolete cleanup schedules removed from Celery beat during upgrade. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—

Full changelog

Released on June 1st 2026.

New features

Announcements can now also be managed via the Weblate’s REST API for specific project languages.
Team memberships can now be limited to selected languages for per-user translation permissions.
Added cost estimates to translation reports.
Added optional OpenTelemetry tracing for backend requests and tasks, and Google Cloud Error Reporting for handled server errors.
Added Workspaces to group related projects, with workspace project listings, workspace-scoped teams and project creation permissions, inherited workspace, project, and category defaults for selected component settings, and billing details when available.

Improvements

Docker containers can now configure WEBLATE_SAML_SECURITY_CONFIG to customize SAML security settings, and adjust WEBLATE_FORMATS using WEBLATE_ADD_FORMATS and WEBLATE_REMOVE_FORMATS.
Improved performance of the Inconsistent check on large projects.
Contributor stats now de-duplicate repeated work on the same string by default, with an option to count all changes.
Code hosting integrations now documents HTTPS access-token URLs and dedicated-user SSH URLs for accessing repositories, and Continuous localization now explains why squash merging Weblate conflict-resolution pull requests can require a repository reset.
Translation component diagnostics now include dismissible component diagnostics for community localization.
Screenshots and visual context now support bulk assignment from search or image text recognition results, make finding strings in uploaded images easier to discover, show source string coverage counts, and include advanced listing search.
Software Bill of Material release artifacts now include CISA 2025 document-level metadata.

Bug fixes

Outbound URL validation now rejects additional non-public targets (GHSA-vmfc-9982-2m45).
Project-language Announcements no longer appear across the whole project.
Hardened POST /api/screenshots/ access checks against private project enumeration.
Registration-attempt account activity e-mails now link to password reset to help users finish account setup.
Inviting new users links now work for signed-in users whose account owns the invited e-mail address.
Searching for strings with content changes without a recorded author now supports changed_by:"", and combined change filters now apply to the same change event.
Gitea and Forgejo pull requests no longer reconfigure existing fork remotes to point to the source repository.
Project and category language translation sessions now keep strings grouped by component priority and show component switch warnings reliably.
Engage page task links now stay centered and show the target translation language.
Gettext POT update add-ons now rescan translations after committing updated POT and PO files.
Git repositories now update branches correctly when the remote also has a tag with the same name.
Conflicting repository setup alerts now allow same-branch direct pushes.
Obsolete cleanup schedules are now removed from Celery beat during upgrade.
Translation pages for workspace projects no longer crash when workspace fields are deferred.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

There is a change in INSTALLED_APPS; weblate.workspaces should be added.
The database migrations might take longer on larger instances.

Contributors

Code contributions
Michal Čihař, Karen Konou, Weblate CI, Basheer Radman, michael-smt, Kristián Kunc, felixfon

Translations contributions
Michal Čihař, VfBFan, 大王叫我来巡山, Emin Tufan Çetin, Basheer Radman, 為什麼不加空格, Peter Vančo, Christian Wia, Любомир Василев, Matthaiks, Andrei Stepanov, Libre, Besnik Bleta, ℂ𝕠𝕠𝕠𝕝 (𝕘𝕚𝕥𝕙𝕦𝕓.𝕔𝕠𝕞/ℂ𝕠𝕠𝕠𝕝), Balázs Meskó, Aindriú Mac Giolla Eoin, Adam Havránek, Dick Groskamp, Arif Budiman, Mickaël Binos, Ryo Nakano, hoanghuy309, Pierfrancesco Passerini, Alefsander Ribeiro Nascimento, Massimo Pissarello, justcontributor, 이정희, Cabdi Waaxid Siciid, Yaron Shahrabani, User2068, Kyotaro Iijima, pan93412, jernejp21, libermax, Phileas Fogg, Fjuro, Jim Kats, Fulup Jakez, Priit Jõerüüt, Ldm Public, Andi Chandler, Burak SDN, ojppe

Documentation contributions
Michal Čihař, VfBFan, Basheer Radman, Weblate CI, michael-smt, felixfon

All changes in detail.

Breaking Changes

INSTALLED_APPS must include `weblate.workspaces`

Security Fixes

GHSA-vmfc-9982-2m45 – Outbound URL validation now rejects additional non‑public targets

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track weblate

Get notified when new releases ship.

About weblate

Web based localization tool with tight version control integration.

All releases →

Related context

Related tools

Earlier breaking changes

vweblate-2026.5 Weblate uses calendar versioning for releases
vweblate-2026.5 ALTCHA widget v3 protocol Argon2id proof-of-work
vweblate-2026.5 dos-eol flag deprecated use dos_eol parameter instead
vweblate-2026.5 set_language_team replaced with po_set_language_team file parameter
vweblate-2026.5 ALTCHA_MAX_NUMBER replaced with COST MEMORY_COST PARALLELISM settings