WeblateOrg/weblate weblate-5.17.1

Weblate 5.17.1

on GitHub

Released on April 30th 2026.

New features

• Add-ons that opt in to manual triggering can now be run from add-on management and the Add-ons.

• Admins can now clean up blocked or abusive users by reverting edits, rejecting pending suggestions, and deleting comments across project or site-wide scopes.

• Admin user management can now find users by audit log IP address.

• Announcements can now also be managed via the Weblate’s REST API for categories.

• Added LTEngine machine translation service.

Improvements

• Improved documentation for the global user.edit permission, Autoclean translation memory, Terminology, and current Translation Memory management options in the UI.

• Improved Screenshots and visual context documentation and linked it from the screenshots UI.

• Documented restoring Docker-based setups from backups, see Restoring Docker based setup.

• Clarified Generic upgrade instructions to state that Celery queues should be empty before upgrading.

• The OpenAPI schema is cleaner and now describes action endpoints with their actual list, statistics, status, upload, and download response payloads.

• The web installation flow for Add missing languages now shows a preview and requires confirmation before creating missing language files across projects, categories, or site-wide scopes.

• Component discovery now offers guided client-side presets, suggests presets detected from component repository layouts, validates {{ component }} more clearly, and includes a worked discovery-template example in the docs.

• Superuser and site-wide team changes are now tracked in Audit log.

• URL validation alerts now show clearer errors for project website and repository browser URLs, and project-level machine translation validation better explains private or local endpoint restrictions on hosted and self-managed sites.

• Automatic translation now attributes copied translations to the add-on user and records automatic translation results in the add-on activity log.

• Extended the conflicting repository setup alert to direct Git pushes, see Translation component alerts.

• Profile links now show an external-link warning where possible.

• Client-side popup notifications triggered by JavaScript now use Bootstrap toasts, with higher-contrast dark theme colors for Bootstrap subtle and emphasis variants.

• The SSH keys management page can now remove stored host keys so changed host keys can be replaced there.

• Project listings now show review progress columns when any listed project has reviews enabled.

Bug fixes

• Image URLs in Markdown are now escaped before rendering (GHSA-5cmv-3rc4-7279).

• Tightened Weblate’s REST API input validation to prevent translation enumeration (GHSA-gcg5-86jr-f7jg).

• Project backup imports now revalidate component repository URLs before restoring from backup (CVE 2026-41654 / GHSA-cwcx-382v-8m9g).

• Fixed revert links in the translate-view history tab after moving a component to another project.

• Invitation acceptance now verifies the invited e-mail address and invitation expiry before granting team membership.

• Inconsistent reStructuredText no longer crashes on repeated explicit-link targets.

• The Add-ons now validates required add-on configuration when installing add-ons.

• Component updates no longer time out waiting on their own repository lock during validation.

• Punctuation spacing check no longer triggers false positives for placeholders.

• Repository alerts, history entries, and task messages now preserve multiline Git and SSH backend error output.

• Interrupted Git rebases now recover more reliably after worker restarts, and signal-terminated backend commands are reported more clearly.

• Borg backups that finish with warnings are no longer shown as failed in the management UI, and backup logs now show C entries for files that changed during the backup.

• Git exporter no longer rejects shared-history fetches just because the first negotiated have revisions are newer than Weblate’s local history.

• Weblate Translation Memory automatic translation avoids broad PostgreSQL searches.

• Malformed IPv6 repository URLs no longer crash SSH host key detection.

• Update POT file (xgettext) and related POT update add-ons now replace the standard descriptive-title placeholder in normalized POT headers again.

• Update POT file (Django) now skips repository locale trees during preflight validation, fixing components that store django.pot in a top-level locale directory.

• Screenshot OCR now skips corrupted or truncated image files instead of failing the request.

• Monolingual component validation now honors Source language when checking duplicate files alongside a separate Monolingual base language file.

• Translation memory upload and import_memory now report a validation error for TMX files missing the required header instead of failing the request.

• Weblate Translation Memory no longer misses boundary similarity matches after stricter lookups.

• The missing file-mask matches alert is now restored after rescans that leave only the source translation.

• Component discovery now disables inherited string management for discovered formats that do not support adding or removing strings.

• Automatic translation from other components now ignores read-only source candidates with empty translations.

• Project component pagination now keeps the Components tab active when jumping to a typed page number.

• Markdown rendering now falls back to escaped plain text when the parser fails.

• Forgejo and Gitea test deliveries with sample loopback repository URLs no longer trigger slow suffix matching against all components.

Compatibility

• Password changes now regenerate personal API keys by default (CVE 2026-41519 / GHSA-6j8j-4qp3-36p2).

• VCS_RESTRICT_PRIVATE and WEBHOOK_RESTRICT_PRIVATE now reject URLs whose hostnames cannot be resolved during validation unless the host is explicitly allowed.

• Profile URL validation now rejects obvious direct file download URLs and invalid code site or Fediverse profile links.

• Uploads now enforce TRANSLATION_UPLOAD_MAX_SIZE, COMPONENT_ZIP_UPLOAD_MAX_SIZE, and PROJECT_BACKUP_UPLOAD_MAX_SIZE before parsing. Component ZIP imports and project backup restores now share stricter ZIP archive safety checks, including total uncompressed data limits for project backup imports.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař, Gersona, Karen Konou, michael-smt

Translations contributions
Michal Čihař, Besnik Bleta, Kristoffer Grundström, Francisco Serrador, ButterflyOfFire, anas agha, Zahid Rizky Fakhri, pan93412, Hyeonjeong Lee, VfBFan, 大王叫我来巡山, Yuri Chornoivan, LucasMZ, Átila França, Rafael Fontenelle, Aindriú Mac Giolla Eoin, UDP, Blueberry, Hotripak, Matthaiks, Agnieszka C, Priit Jõerüüt, Martin Srebotnjak, Fjuro, Andrei Stepanov, Mickaël Binos, IEEE-754, Adrian Reyes, bovirus, Max Kleinehelleforth, justcontributor, Yago Raña Gayoso, Horus68, Любомир Василев, CYAXXX, Andi Chandler, Adam Havránek, Kyotaro Iijima, Arif Budiman, ovl-1, Laitei, Jim Kats, Omer I.S., Fulup Jakez, ojppe, Julien Humbert, Jim Spentzos, Sketch6580, Dick Groskamp, 王晨旭, Frank Paul Silye, Anucha Hlownonkor, Milo Ivir

Documentation contributions
Michal Čihař, Gersona, michael-smt

All changes in detail.