WeblateOrg/weblate weblate-5.17

Weblate 5.17

on GitHub

Released on April 15th 2026.

New features

• Added PROJECT_WEB_RESTRICT_ALLOWLIST to exempt selected project slugs from project website restriction settings.

• Added WEBSITE_ALERTS_ENABLED setting to allow disabling project website availability checks and alerts.

• Added new management command list_format_features, which generates RST documentation snippets describing the supported features for every file format.

• Shared components can now be categorized within the target project, including through the Weblate’s REST API using the category_id parameter.

• Added Update POT file (xgettext), Update POT file (Meson), Update POT file (Django), and Update POT file (Sphinx) to update POT files with configurable update cadence.

• Added PASSWORD_RESET_URL to customize the sign-in page password reset link, useful for external identity providers (Docker env: WEBLATE_PASSWORD_RESET_URL).

• Added bulk user invitations.

• Added Objective-C format.

• Added Forgejo notification webhook, see Automatically receiving changes from Forgejo Repos.

• Added translation memory API filtering, scoped access, and bulk lookup support.

• Added from_component support to the REST API for creating components from existing component content and for seeding new translations by automatic translation from existing components.

• Announcements can now be managed via the Weblate’s REST API for projects, components and translations.

• Added a soft mode to VERSION_DISPLAY to hide the Weblate version from prominent UI while keeping it available on the About page and GET /api/metrics/.

Improvements

• Track origin of newly added source strings.

• Markdown now uses auto-safe-html by default, applying Unsafe HTML and Unsafe HTML cleanup only to plain text and source strings that contain standard HTML markup or valid custom elements.

• Improved LLM interfaces for better reliability.

• Improved logic for adding monolingual plurals in GNU gettext PO (Portable Object).

• Added a component alert for conflicting merge request repository setup, see Translation component alerts.

• Improved plural handling in Automatic translation.

• Improved error messages in some Weblate’s REST API endpoints.

• Updated Microsoft Entra ID authentication docs and Microsoft sign-in branding while keeping legacy Azure AD backend identifiers and documentation anchors for compatibility.

• Improved performance of project and category search result pages with very large match sets.

• Docker now exposes WEBLATE_COMMIT_PENDING_HOURS, WEBLATE_SOCIAL_AUTH_KEYCLOAK_ID_KEY for customizing the Keycloak unique user identifier claim, and WEBLATE_NGINX_IPV6 for controlling IPv6 listeners in the bundled NGINX.

• Project history now records project backups and project/component restore events.

• Improved documentation with auto-generated snippets for Add-ons, Translation types capabilities, Quality checks, and Automatic suggestions machines, and clarified merge-conflict behavior for exported repositories using shallow clones by default.

• Added PROJECT_WEB_RESTRICT_PRIVATE to reject project website and repository browser URLs targeting internal or non-public addresses, WEBHOOK_RESTRICT_PRIVATE to reject webhook URLs targeting internal or non-public addresses, and VCS_RESTRICT_PRIVATE to reject repository and push URLs targeting internal or non-public addresses. These are exposed in Docker as WEBLATE_PROJECT_WEB_RESTRICT_PRIVATE, WEBLATE_WEBHOOK_RESTRICT_PRIVATE, and WEBLATE_VCS_RESTRICT_PRIVATE.

• Improved performance of Weblate lookups.

• Screenshot and font upload forms now honor ALLOWED_ASSET_SIZE which now defaults to 10 MB.

• Expanded Weblate threat model to cover webhook trust boundaries and delegated authorization boundaries, and clarified the instance-wide 2FA enforcement path in Authentication.

• Reset and reapply recovery behavior now recreates missing translation files when possible and otherwise reports a clearer recovery error instead of failing later with a generic parse error.

• Updated Contribute to Weblate documentation to describe the current make -C docs update-docs workflow for generated snippets.

• Linked repository components now inherit Push on commit, Age of changes to commit, and Lock on error from the linked component that owns the repository.

• Git exporter now provides clearer push and missing-revision errors to authorized users.

• Faster category and project removals, and improved performance of project language counting and API listing on projects with shared components.

• Clarified Git LFS limits of Git exporter in the UI and docs.

• Improved Backing up and moving Weblate status reporting while keeping maintenance after failed backup attempts.

• Improved loading speed for comments on the translate page and reduced repeated metric queries when rendering activity charts on overview pages with cold caches.

Security fixes

• Hardened repository boundary checks for symlink targets (CVE 2026-40256 / GHSA-ffgh-3jrf-8wvh).

• Hardened component file handling for repository symlinks (CVE 2026-34242 / GHSA-hv99-mxm5-q397).

• Tightened Weblate’s REST API permission enforcement (CVE 2026-34393 / GHSA-3382-gw9x-477v).

• Hardened project-level Automatic suggestions against SSRF (CVE 2026-34244 / GHSA-xrwr-fcw6-fmq8).

• Tightened location validation in JavaScript localization CDN (CVE 2026-33220 / GHSA-mqph-7h49-hqfm).

• Enforced ALLOWED_ASSET_DOMAINS across redirects for asset downloads (CVE 2026-33440 / GHSA-5fhx-9jwj-867m).

• Hardened Webhook (CVE 2026-39845 / GHSA-f8hv-g549-hwg2).

• Removed unintended Translation Memory API endpoints (CVE 2026-33214 / GHSA-mpf5-3vph-q75r).

• Tightened API access control for pending tasks (CVE 2026-33212 / GHSA-vj45-x3pj-f4w4).

• Hardened Project level backups restore against repository-local VCS configuration and hooks from uploaded archives (CVE 2026-33435 / GHSA-558g-h753-6m33).

Bug fixes

• Project backup now preserves source translation read-only handling, and source-side pending commits without files are discarded to avoid repeated parse failures.

• Fixed background failures in Automatic translation.

• Generated SSH wrapper scripts are now stored in CACHE_DIR instead of persistent SSH storage, and obsolete or stale wrappers are cleaned up during upgrade.

• Hardened Git branch handling to reject invalid branch names before repository operations.

• Sanitized repository and upload backend errors before exposing them in UI and API responses.

• Matching exporters now honor component file format parameters.

• Per-project access tokens now clean up stale bot users on project deletion and upgrade, and prevent removing the last assigned team to avoid orphaning the token.

• Batch automatic translation now uses project-level machinery configuration instead of only site-wide settings.

• Fixed sorting by the Unreviewed column in listings.

• Fixed false positive in Chars around XML tags for Arabic letter Waw (“و”) adjacent to XML tags.

• Squash Git commits better handle commits applied upstream.

• list_checks now requires exactly one --sections value when writing generated documentation to a file using --output.

• Watched translations on the dashboard now use a stable language-aware ordering.

• Reduced error-reporting noise for handled authentication callback failures and clarified password reset confirmation messages.

• Automatic suggestions now falls back to the default API URL when base URL is empty.

• DeepL maps plain Portuguese to European Portuguese.

• MyMemory now falls back to HTTP status handling when the service returns a non-JSON error response.

• Push branches are no longer updated with upstream-only commits in multi-branch workflows.

• POT update add-ons now fall back to the component URL for the Report-Msgid-Bugs-To header when the component setting is empty.

• Improved repository lock error handling when deleting units.

• Adding new languages now rescans only the newly added languages instead of forcing a full component scan.

• Maximum size of translation previews now keep the configured text box visible and render overflowing text in red.

• Restored documented default encoding fallback for Apple iOS strings and Java properties when file format parameters are not explicitly set.

• Reduced repeated database queries in Fill read-only strings with source during the daily add-on task, and fixed auto-translation progress updates when the queued target disappears before execution.

• Android string resources now preserves template-defined escaped markup formatting when saving translations.

• REST API component creation now handles temporary uploaded files for docfile and zipfile uploads.

• SSH repository errors now distinguish changed host keys from missing host keys and avoid automatically trusting host key replacements.

• Automatic suggestions no longer treats translatable reStructuredText role content as Placeables in automatic suggestion.

• Mismatched interrobang now recognizes Arabic interrobang punctuation such as ؟! and !؟.

Compatibility

• The project_scope class attribute on add-ons has been removed. Third-party add-ons that used project_scope = True should override can_install() to return False when component is not None.

• The daily() method signature on add-ons has changed. Add-ons that previously overrode daily(component) to perform per-component work should now override daily_component(component) instead. The base daily() method automatically iterates components and calls daily_component() for each. Add-ons that can be optimized to operate at project scope should override daily(component, project) directly to implement project-level logic.

• Dropped support for MySQL and MariaDB as the database engine.

• Weblate now requires Django 6.0.

• Weblate now requires Git 2.46 or newer.

• Uploaded project backups are now validated more strictly during import and suspicious ZIP archives can be rejected; see Project level backups.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

• There are several changes in settings_example.py, most notably ADMINS syntax has changed in Django and SOCIAL_AUTH_PIPELINE and INSTALLED_APPS need adjustments; please adjust your settings accordingly.

• If you run Weblate in Docker and rely on IPv6 listeners, review WEBLATE_NGINX_IPV6. The default auto enables IPv6 listeners only when IPv6 is available in the container runtime; use on to always enable them or off to disable them.

• Outbound project links, webhook URLs, and repository or push URLs pointing to internal or non-public addresses are now rejected by default. If your setup intentionally uses internal addresses, adjust the corresponding restriction settings such as PROJECT_WEB_RESTRICT_PRIVATE, WEBHOOK_RESTRICT_PRIVATE, or VCS_RESTRICT_PRIVATE, and the related allowlists such as VCS_ALLOW_HOSTS.

Contributors

Code contributions
Michal Čihař, michael-smt, Kartik Ohri, bogusdominica, Karen Konou, Sven Hüster, Gersona, subnix, matilde-gillia, Steven Loria, felixfon, baltenaxis, Claw Explorer, Samuel Gomes

Translations contributions
PICOPress, Blueberry, Deleted User, Francisco Serrador, eulalio, Pavel Miniutka, Amir E. Aharoni, hoanghuy309, nKsyn, Jim Kats, Martin Srebotnjak, Zahid Rizky Fakhri, symegac, Francesco Marinucci, Michal Čihař, Hyeonjeong Lee, ovl-1, Tarás Lavrentiev, Edson Wolf, Yuri Chornoivan, Omer I.S., Arantxa, Tuomas Hietala, Milo Ivir, justcontributor, Kristoffer Grundström, Andi Chandler, Andrei Stepanov, ButterflyOfFire, Átila França, Мария Рангелова, EESF-2, CzaroGame, Agnieszka C, Manuela Silva, پرویز قادر, JiZPaper, Fjuro, Alexis Launay, tfr tint, Candied-Ecard, Kyotaro Iijima, Priit Jõerüüt, Matthaiks, Besnik Bleta, delvani, Mickaël Binos, VfBFan, UDP, Aindriú Mac Giolla Eoin, Adam Havránek, mohammadA, 大王叫我来巡山, Sketch6580, Dick Groskamp, Heimen Stoffels, Yaron Shahrabani, Любомир Василев, Максим Горпиніч, Emin Tufan Çetin, Horus68, Sjur N Moshagen, Peter Vančo, Romhányi-Kakucska Viktor, ZayedRashid, Julien Lepiller, Massimo Pissarello, Jeff Huang, ojppe, தமிழ்நேரம், ibragimov, Sylvestre Ledru, Ldm Public, pan93412, Jernej Pangerc, Luciana Waldbaur, username-generic, jonnysemon, syl, Arif Budiman, Max Kleinehelleforth, Carp300, Yago Raña Gayoso, anas agha, Ettore Atalan

Documentation contributions
Michal Čihař, Kartik Ohri, Sven Hüster, Dylan Kiss (dyki), Gersona, michael-smt, matilde-gillia, Steven Loria, baltenaxis, Claw Explorer, Samuel Gomes

All changes in detail.