Weblate 2026.6.1

Released on June 1st 2026.

Bug fixes

• Language-wide Announcements no longer break language overview pages.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař

Documentation contributions
Michal Čihař

All changes in detail.

Weblate 2026.6

Released on June 1st 2026.

New features

• Announcements can now also be managed via the Weblate’s REST API for specific project languages.

• Team memberships can now be limited to selected languages for per-user translation permissions.

• Added cost estimates to translation reports.

• Added optional OpenTelemetry tracing for backend requests and tasks, and Google Cloud Error Reporting for handled server errors.

• Added Workspaces to group related projects, with workspace project listings, workspace-scoped teams and project creation permissions, inherited workspace, project, and category defaults for selected component settings, and billing details when available.

Improvements

• Docker containers can now configure WEBLATE_SAML_SECURITY_CONFIG to customize SAML security settings, and adjust WEBLATE_FORMATS using WEBLATE_ADD_FORMATS and WEBLATE_REMOVE_FORMATS.

• Improved performance of the Inconsistent check on large projects.

• Contributor stats now de-duplicate repeated work on the same string by default, with an option to count all changes.

• Code hosting integrations now documents HTTPS access-token URLs and dedicated-user SSH URLs for accessing repositories, and Continuous localization now explains why squash merging Weblate conflict-resolution pull requests can require a repository reset.

• Translation component diagnostics now include dismissible component diagnostics for community localization.

• Screenshots and visual context now support bulk assignment from search or image text recognition results, make finding strings in uploaded images easier to discover, show source string coverage counts, and include advanced listing search.

• Software Bill of Material release artifacts now include CISA 2025 document-level metadata.

Bug fixes

• Outbound URL validation now rejects additional non-public targets (GHSA-vmfc-9982-2m45).

• Project-language Announcements no longer appear across the whole project.

• Hardened POST /api/screenshots/ access checks against private project enumeration.

• Registration-attempt account activity e-mails now link to password reset to help users finish account setup.

• Inviting new users links now work for signed-in users whose account owns the invited e-mail address.

• Searching for strings with content changes without a recorded author now supports changed_by:"", and combined change filters now apply to the same change event.

• Gitea and Forgejo pull requests no longer reconfigure existing fork remotes to point to the source repository.

• Project and category language translation sessions now keep strings grouped by component priority and show component switch warnings reliably.

• Engage page task links now stay centered and show the target translation language.

• Gettext POT update add-ons now rescan translations after committing updated POT and PO files.

• Git repositories now update branches correctly when the remote also has a tag with the same name.

• Conflicting repository setup alerts now allow same-branch direct pushes.

• Obsolete cleanup schedules are now removed from Celery beat during upgrade.

• Translation pages for workspace projects no longer crash when workspace fields are deferred.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

• There is a change in INSTALLED_APPS; weblate.workspaces should be added.

• The database migrations might take longer on larger instances.

Contributors

Code contributions
Michal Čihař, Karen Konou, Weblate CI, Basheer Radman, michael-smt, Kristián Kunc, felixfon

Translations contributions
Michal Čihař, VfBFan, 大王叫我来巡山, Emin Tufan Çetin, Basheer Radman, 為什麼不加空格, Peter Vančo, Christian Wia, Любомир Василев, Matthaiks, Andrei Stepanov, Libre, Besnik Bleta, ℂ𝕠𝕠𝕠𝕝 (𝕘𝕚𝕥𝕙𝕦𝕓.𝕔𝕠𝕞/ℂ𝕠𝕠𝕠𝕝), Balázs Meskó, Aindriú Mac Giolla Eoin, Adam Havránek, Dick Groskamp, Arif Budiman, Mickaël Binos, Ryo Nakano, hoanghuy309, Pierfrancesco Passerini, Alefsander Ribeiro Nascimento, Massimo Pissarello, justcontributor, 이정희, Cabdi Waaxid Siciid, Yaron Shahrabani, User2068, Kyotaro Iijima, pan93412, jernejp21, libermax, Phileas Fogg, Fjuro, Jim Kats, Fulup Jakez, Priit Jõerüüt, Ldm Public, Andi Chandler, Burak SDN, ojppe

Documentation contributions
Michal Čihař, VfBFan, Basheer Radman, Weblate CI, michael-smt, felixfon

All changes in detail.

Weblate 2026.5

Released on May 15th 2026.

New features

• Added MDX files support for translating Markdown text while preserving JSX syntax, with File format parameters shared with Markdown files for line wrapping, code blocks, front matter, and placeholder handling.

• Added extended LLM translation context for automatic suggestions, covering string context, explanations, secondary-language translations, plurals, failing checks, and placeholders.

• Added a digest-only translation activity summary notification, see Notifications.

• CSV and XLSX downloads in Downloading translations now export plural strings as separate plural-form rows that can be imported back.

• Added Gettext PO and POT File format parameters to control whether Weblate updates the Language-Team, Last-Translator, X-Generator, and Report-Msgid-Bugs-To headers.

• Added a backup to run configured backup services synchronously.

• The translation memory lookup API can now skip fuzzy matching with the exact query parameter.

• Added Translation files CDN to publish translation files to the configured CDN.

Improvements

• Using DOS line endings can now be configured using the dos_eol File format parameters.

• OpenAI and Alibaba no longer require their vendor Python SDKs.

• Audited project and component setting changes are now recorded in history.

• Gerrit review pushes now use Push branch as the target branch.

• Weblate now checks whether CACHE_DIR allows executing generated helper files.

• The Software Bill of Material is now generated during release and published as a versioned release asset instead of being stored in the source repository.

• The translating page now separates screenshots from string information, collapses rarely used string details, and groups glossary and screenshot actions more consistently.

• Project access management now paginates users and better explains site-wide automatic team assignments.

• Added provider-oriented code hosting documentation and Gettext-style Plural formula guidance.

• The Python wheel no longer ships source translation catalogs, test files, or deployment example files, reducing the installed package size.

• The engage page now highlights actionable translation task buckets for newcomers.

• RSS feeds can now use the same filters as the changes browsing page.

• Update gettext template (Django) now supports gettext PO files used as templates when they are excluded by the language filter.

• Reworked Weblate threat model into a contract-style document.

Bug fixes

• Hardened search previews and Automatic suggestions suggestion origins against XSS, and stopped exposing database error details in upload failures.

• Screenshot URL uploads, remote HTML extraction in JavaScript localization CDN, and URL health-check redirects now reject internal or non-public targets by default.

• Gerrit review pushes now reject target branches containing push options, track the target branch before invoking git-review, and suggest short branch names when full refs are supplied.

• Category Announcements no longer appear across the whole project, and translation announcement deletion now honors language-scoped permissions.

• Merge request pushes now refresh stale fork remotes after changing repository hosting.

• Plural counts parsed from translation file headers are now bounded, and plural formulas are rejected when they can evaluate outside the configured plural form range.

• Per-project access tokens expiring today now remain valid until the end of the day.

• Malformed ALTCHA CAPTCHA submissions and repository URLs in webhook payloads no longer cause server errors.

• Placeholders now merges overlapping non-nested spans from multiple flags.

• Backing up and moving Weblate logs no longer include OpenSSH post-quantum key exchange warnings from remote Borg connections.

• Category repository paths are now handled more safely during cleanup and moves.

• Locked component pages now show an unsubscribe action after subscribing to unlock notifications.

• Project level backups imports now restore in the background to avoid web worker memory limits.

Compatibility

• The dos-eol flag is no longer supported. Use the dos_eol File format parameters instead.

• The registration CAPTCHA now uses the ALTCHA widget v3 protocol with Argon2id proof-of-work.

• The set_language_team project attribute has been replaced with the po_set_language_team file format parameter at the component level; see File format parameters.

• Weblate now uses calendar versioning for releases, see Release cycle.

• Weblate now uses stricter dependency version constraints to better control runtime environment.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

• The ALTCHA_MAX_NUMBER setting has been replaced by <a href="h...

Weblate 5.17.1

Released on April 30th 2026.

New features

• Add-ons that opt in to manual triggering can now be run from add-on management and the Add-ons.

• Admins can now clean up blocked or abusive users by reverting edits, rejecting pending suggestions, and deleting comments across project or site-wide scopes.

• Admin user management can now find users by audit log IP address.

• Announcements can now also be managed via the Weblate’s REST API for categories.

• Added LTEngine machine translation service.

Improvements

• Improved documentation for the global user.edit permission, Autoclean translation memory, Terminology, and current Translation Memory management options in the UI.

• Improved Screenshots and visual context documentation and linked it from the screenshots UI.

• Documented restoring Docker-based setups from backups, see Restoring Docker based setup.

• Clarified Generic upgrade instructions to state that Celery queues should be empty before upgrading.

• The OpenAPI schema is cleaner and now describes action endpoints with their actual list, statistics, status, upload, and download response payloads.

• The web installation flow for Add missing languages now shows a preview and requires confirmation before creating missing language files across projects, categories, or site-wide scopes.

• Component discovery now offers guided client-side presets, suggests presets detected from component repository layouts, validates {{ component }} more clearly, and includes a worked discovery-template example in the docs.

• Superuser and site-wide team changes are now tracked in Audit log.

• URL validation alerts now show clearer errors for project website and repository browser URLs, and project-level machine translation validation better explains private or local endpoint restrictions on hosted and self-managed sites.

• Automatic translation now attributes copied translations to the add-on user and records automatic translation results in the add-on activity log.

• Extended the conflicting repository setup alert to direct Git pushes, see Translation component alerts.

• Profile links now show an external-link warning where possible.

• Client-side popup notifications triggered by JavaScript now use Bootstrap toasts, with higher-contrast dark theme colors for Bootstrap subtle and emphasis variants.

• The SSH keys management page can now remove stored host keys so changed host keys can be replaced there.

• Project listings now show review progress columns when any listed project has reviews enabled.

Bug fixes

• Image URLs in Markdown are now escaped before rendering (GHSA-5cmv-3rc4-7279).

• Tightened Weblate’s REST API input validation to prevent translation enumeration (GHSA-gcg5-86jr-f7jg).

• Project backup imports now revalidate component repository URLs before restoring from backup (CVE 2026-41654 / GHSA-cwcx-382v-8m9g).

• Fixed revert links in the translate-view history tab after moving a component to another project.

• Invitation acceptance now verifies the invited e-mail address and invitation expiry before granting team membership.

• Inconsistent reStructuredText no longer crashes on repeated explicit-link targets.

• The Add-ons now validates required add-on configuration when installing add-ons.

• Component updates no longer time out waiting on their own repository lock during validation.

• Punctuation spacing check no longer triggers false positives for placeholders.

• Repository alerts, history entries, and task messages now preserve multiline Git and SSH backend error output.

• Interrupted Git rebases now recover more reliably after worker restarts, and signal-terminated backend commands are reported more clearly.

• Borg backups that finish with warnings are no longer shown as failed in the management UI, and backup logs now show C entries for files that changed during the backup.

• Git exporter no longer rejects shared-history fetches just because the first negotiated have revisions are newer than Weblate’s local history.

• Weblate Translation Memory automatic translation avoids broad PostgreSQL searches.

• Malformed IPv6 repository URLs no longer crash SSH host key detection.

• Update POT file (xgettext) and related POT update add-ons now replace the standard descriptive-title placeholder in normalized POT headers again.

• Update POT file (Django) now skips repository locale trees during preflight validation, fixing components that store django.pot in a top-level locale directory.

• Screenshot OCR now skips corrupted or truncated image files instead of failing the request.

• Monolingual component validation now honors Source language when checking duplicate files alongside a separate Monolingual base language file.

• Translation memory upload and import_memory now report a validation error for TMX files missing the required header instead of failing the request.

• <a href="https://docs.weblate.org/en/weblate-5.17.1/admin/machine.html#mt-weblate-translation-memory" class="r...

Weblate 5.17

Released on April 15th 2026.

New features

• Added PROJECT_WEB_RESTRICT_ALLOWLIST to exempt selected project slugs from project website restriction settings.

• Added WEBSITE_ALERTS_ENABLED setting to allow disabling project website availability checks and alerts.

• Added new management command list_format_features, which generates RST documentation snippets describing the supported features for every file format.

• Shared components can now be categorized within the target project, including through the Weblate’s REST API using the category_id parameter.

• Added Update POT file (xgettext), Update POT file (Meson), Update POT file (Django), and Update POT file (Sphinx) to update POT files with configurable update cadence.

• Added PASSWORD_RESET_URL to customize the sign-in page password reset link, useful for external identity providers (Docker env: WEBLATE_PASSWORD_RESET_URL).

• Added bulk user invitations.

• Added Objective-C format.

• Added Forgejo notification webhook, see Automatically receiving changes from Forgejo Repos.

• Added translation memory API filtering, scoped access, and bulk lookup support.

• Added from_component support to the REST API for creating components from existing component content and for seeding new translations by automatic translation from existing components.

• Announcements can now be managed via the Weblate’s REST API for projects, components and translations.

• Added a soft mode to VERSION_DISPLAY to hide the Weblate version from prominent UI while keeping it available on the About page and GET /api/metrics/.

Improvements

• Track origin of newly added source strings.

• Markdown now uses auto-safe-html by default, applying Unsafe HTML and Unsafe HTML cleanup only to plain text and source strings that contain standard HTML markup or valid custom elements.

• Improved LLM interfaces for better reliability.

• Improved logic for adding monolingual plurals in GNU gettext PO (Portable Object).

• Added a component alert for conflicting merge request repository setup, see Translation component alerts.

• Improved plural handling in Automatic translation.

• Improved error messages in some Weblate’s REST API endpoints.

• Updated Microsoft Entra ID authentication docs and Microsoft sign-in branding while keeping legacy Azure AD backend identifiers and documentation anchors for compatibility.

• Improved performance of project and category search result pages with very large match sets.

• Docker now exposes WEBLATE_COMMIT_PENDING_HOURS, WEBLATE_SOCIAL_AUTH_KEYCLOAK_ID_KEY for customizing the Keycloak unique user identifier claim, and WEBLATE_NGINX_IPV6 for controlling IPv6 listeners in the bundled NGINX.

• Project history now records project backups and project/component restore events.

• Improved documentation with auto-generated snippets for Add-ons, Translation types capabilities, Quality checks, and Automatic suggestions machines, and clarified merge-conflict behavior for exported repositories using shallow clones by default.

• Added PROJECT_WEB_RESTRICT_PRIVATE to reject project website and repository browser URLs targeting internal or non-public addresses, WEBHOOK_RESTRICT_PRIVATE to reject webhook URLs targeting internal or non-public addresses, and VCS_RESTRICT_PRIVATE to reject repository and push URLs targeting internal or non-public addresses. These are exposed in Docker as <span...

Weblate 5.16.2

Released on March 6th 2026.

New features

• New setting PUBLIC_ENGAGE to make the engage page public even with REQUIRE_LOGIN.

Improvements

• Improved matching in Translation Memory.

• Show the number of strings waiting for review in listings.

Bug fixes

• Avoid displaying confusing status icons for ghost languages on project or category level.

• Fixed missing plural source strings when creating new bilingual plural units.

• Crash on certain pages with nested categories.

• Improved API validation when adding strings.

• Disabled throttling for incoming webhooks.

• Avoid displaying non-actionable ghost languages.

• Fixed highlighting in the translation editor.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař, Karen Konou, Kartik Ohri

Documentation contributions
Michal Čihař

All changes in detail.

Weblate 5.16.1

Released on February 26th 2026.

New features

• AsciiDoc files, XLIFF 1.1 and 1.2 with Apple extensions, and WixLocalization file are now supported file formats.

• Added REGISTRATION_ALLOW_DISPOSABLE_EMAILS to optionally allow disposable e-mail domains during registration (Docker env: WEBLATE_REGISTRATION_ALLOW_DISPOSABLE_EMAILS).

Improvements

• Improved documentation for translation states to clarify the difference between Needs editing, Needs rewriting, and Needs checking states.

• Improved initial import of translations for Markdown files and HTML files.

Bug fixes

• Slack Webhooks properly delivers all events.

• Punctuation spacing better handles XML markup.

• Stringsdict format better handle some plurals.

• Improved plurals handling for language variants.

• Fixed API access control.

  • Users can manage their own notification subscriptions via the API.

  • Project administrators can manage teams in their projects via the API, according to access control rules.

  • The add-ons listing in the API now correctly honors user permissions (CVE 2026-27457 / GHSA-wppc-7cq7-cgfv).

• Fixed source column being cleared when translating monolingual CSV files.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař, Simon Urli, Karen Konou, Kartik Ohri, Hendrik Leethaus

Translations contributions
Heimen Stoffels, Michal Čihař, delvani, Yaron Shahrabani, ℂ𝕠𝕠𝕠𝕝 (𝕘𝕚𝕥𝕙𝕦𝕓.𝕔𝕠𝕞/ℂ𝕠𝕠𝕠𝕝), Priit Jõerüüt, Zahid Rizky Fakhri, Pierfrancesco Passerini, Massimo Pissarello, Romhányi-Kakucska Viktor, Mickaël Binos, Milo Ivir, Blueberry, 大王叫我来巡山, VfBFan, Besnik Bleta, Nikolay Korotkiy, Pavel Borecki, Matthaiks, Agnieszka C, Emin Tufan Çetin, Agustina Giselle, Fjuro, RViktor, ojppe, eulalio, Pavel Miniutka, Kristoffer Grundström, Aindriú Mac Giolla Eoin, reducedradius, Максим Горпиніч, Руслан Пузич, Francisco Serrador, Kyotaro Iijima, Petr Kadlec, தமிழ்நேரம், Dick Groskamp, PICOPress, justcontributor, Valentin Ljuba, Daniel Nylander, Arantxa, Marino Díaz, Artemka

Documentation contributions
Michal Čihař, michael-smt, Kartik Ohri, Hendrik Leethaus

All changes in detail.

Weblate 5.16

Released on February 16th 2026.

New features

• Multiple capitals quality check.

• XML surrounding characters reduce translation errors for strings with XML entities.

• Bulk accepting suggestions from a specific user in Suggestions.

• Cloning suggestions into translation in Suggestions.

• HIDE_SHARED_GLOSSARY_COMPONENTS to hide glossaries shared into other projects.

• Added new management command list_change_events, which lists all possible change events, Change events.

• Added Anthropic machinery integration, see Anthropic.

• Encoding for Localization file formats can now be configured using File format parameters (e.g., csv_encoding, properties_encoding).

• Added support for anonymous commit names via PRIVATE_COMMIT_NAME_TEMPLATE.

• Consolidating identical strings in Markdown files, HTML files, and Text files files using *merge_duplicates parameters in File format parameters.

Improvements

• Delete announcements permission can be assigned to teams, see List of privileges.

• Searching better reports errors in the query strings.

• Regular repository maintenance is now performed in the background.

• Repository cleanup now recovers failed merges or rebases.

• Better visibility of Translation quality filter to translators.

• Validation of VCS settings Pushing changes from Weblate has been extended.

• The default values for Enable reviews and Enable source reviews can be configured in settings.

• The PRIVATE_COMMIT_EMAIL_TEMPLATE now supports the {user_id} and {site_title} variables.

• The default value for personal translation memory contribution is now based on the DEFAULT_AUTOCLEAN_TM configuration.

Bug fixes

• Argument injection in the management console (CVE 2026-24126 / GHSA-33fm-6gp7-4p47).

• Adding plural strings with singular matching existing string is now prohibited for bilingual translations (see Bilingual and monolingual formats).

• Automatic Repository browser URL for common code hosting sites.

• Improved cache isolation for suggestion checks to avoid interference with the parent unit checks.

• Gracefully handle invalid check flags in Customizing behavior using flags.

• App store metadata files no longer rewrites unchanged files.

Compatibility

• Regular expression no longer marks matched portions as non-translatable to allow generic regular-expression-based checking of strings. Use Placeholders for checking regular expression matched placeholders.

• The default value for WEBLATE_FORMATS changed because of the removal of encoding-specific formats.

• File formats that only differed in encoding (CSV, GWT Properties, Java Properties, iOS Strings) have been merged into single formats.

• Fonts used by Weblate are now shipped in a standalone package.

• Dropped deprecated compatibility wrappers some classes with typos.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař, Kartik Ohri, Karen Konou, Serrano Pereira, moonchoe, softworkz, Gersona, hugorezende, Hendrik Leethaus, AliceVisek, devimarj, evanjhoward11, Zahid Rizky Fakhri, Francisco Serrador

Translations contributions
தமிழ்நேரம், Andi Chandler, Daniel Nylander, Michal Čihař, VfBFan, ButterflyOfFire, Emin Tufan Çetin, eulalio, Milo Ivir, Yuri Chornoivan, 大王叫我来巡山, Zahid Rizky Fakhri, Peter Vančo, Kyotaro Iijima, amano, Hyeonjeong Lee, Yaron Shahrabani, Massimo Pissarello, Blueberry, Aindriú Mac Giolla Eoin, CRISTIAN ANDREI, Максим Горпиніч, Shah Zaman Pathan, Eduard Ereza Martínez, Alexis Launay, Luis Carlos González Morales, AlaxLima, Andrei Stepanov, Pierfrancesco Passerini, Valentin Ljuba, Anusuk Sangubon, Supaplex, Besnik Bleta, Matthaiks, Agnieszka C, Sketch6580, Mickaël Binos, U G, Kristoffer Grundström, Fjuro, 109247019824, Miguel A. Bouzada, Jim Spentzos, Fulup Jakez, Jim Kats, Omer I.S., nautilusx, jonnysemon, Martin Srebotnjak, Umida Hikmatilla, Arif Budiman, Ldm Public, pan93412, Heimen Stoffels, Romhányi-Kakucska Viktor, Pedro Leite, RViktor, Dick Groskamp, Alexander Gabilondo, Любомир Василев, Francisco Serrador, devimarj, Cyrille Duverne, 大学没毕业, Hotripak, delvani, A J.

Documentation contributions
Michal Čihař, Kartik Ohri, moonchoe, Karen Konou, softworkz, Serhii H., shorelskyi, Gersona, hugorezende, Hendrik Leethaus, AliceVisek, devimarj, evanjhoward11

All changes in detail.

Weblate 5.15.2

Released on January 14th 2026.

Improvements

• Statistics generator is now triggered upon installation.

• Screenshots updated from the repository have proper history.

• reStructuredText syntax error now reports unintended list conversion.

• Unchanged translation check ignores AsciiDoc source code blocks.

Bug fixes

• Information leak via screenshots (CVE 2026-21889 / GHSA-3g2f-4rjg-9385).

• Explanation sync in TermBase eXchange format.

• User interface fixes.

• Clarified needs editing/checking/rewriting states.

• Automatically translated flag with bulk approvals.

• GitHub forks no longer trigger actions.

• Tighter validation of user provided websites to avoid confusing homoglyphs.

• Glossary support in Google Cloud Translation Advanced.

• Invitations accepting when REQUIRE_LOGIN is turned on.

• CyrTranslit installation.

Compatibility

• Screenshot images are no longer served directly by the HTTP server, please adjust your HTTP server by removing serving of /media/.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

• To make the fix for CVE 2026-21889 effective, the serving of /media/ path should be removed from the HTTP server configuration; see Serving static files.

Contributors

Code contributions
Michal Čihař, Kartik Ohri, Karen Konou, Marek Lukášík, shyraptor, Korpyc, Benjamin Alan Jamie

Translations contributions
Jim Kats, Horus68, Francisco Serrador, VfBFan, Fjuro, Andi Chandler, Eduard Ereza Martínez, Takeru Mikenu, eulalio, Mickaël Binos, Любомир Василев, Peter Vančo, Mateus Liberale Gomes, Hanu E., Pierfrancesco Passerini, amano, Blueberry, ButterflyOfFire, Basheer Radman, therealmate, មនុញ្ញ - MᴇᴀнNսɴн, தமிழ்நேரம், EdoAug, Zahid Rizky Fakhri, Milo Ivir, Kristoffer Grundström, searinminecraft, Kyotaro Iijima, adecorte, Priit Jõerüüt, Rhoslyn Prys, Shah Zaman Pathan, Daniel Nylander, Michal Čihař, Kristijan "Fremen" Velkovski, Aindriú Mac Giolla Eoin, Tuomas Hietala, 이정희, pan93412, Anusuk Sangubon, پرویز قادر, Fulup Jakez, Matthaiks, Besnik Bleta, Hotripak, 大王叫我来巡山, Agnieszka C

Documentation contributions
Michal Čihař, Kartik Ohri, michael-smt, Marek Lukášík, shyraptor, Korpyc, alexis-pinon, Benjamin Alan Jamie

All changes in detail.

Weblate 5.15.1

Released on December 18th 2025.

New features

• Added GET /api/projects/(string:project)/languages/(string:language_code)/file/ to download a ZIP file of all component translations of a project for a specified language.

Improvements

• Updated list of OpenAI models.

• Added Migrating to Weblate guide to help users migrate from other localization platforms.

• Gracefully handle unreachable authentication providers.

• Update language definitions to CLDR 48.

Bug fixes

• Git config file overwrite remote code execution (CVE 2025-68398 / GHSA-8vcg-cfxj-p5m3).

• Arbitrary file read via symbolic links (CVE 2025-68279 / GHSA-g925-f788-4jh7).

• Locking error that prevented updating linked components.

• Fixed e-mail SSL configuration in Docker container.

• Invitations on sites with required authentication.

Upgrading

Please follow Generic upgrade instructions in order to perform update.

Contributors

Code contributions
Michal Čihař, Karen Konou, Kartik Ohri, ZhuHengjin, Edison, aditi-agni, aditi, Edison Dao, biplopghimire

Translations contributions
eulalio, Yauhen, Emin Tufan Çetin, Priit Jõerüüt, Любомир Василев, Fjuro, Zahid Rizky Fakhri, Takeru Mikenu, ButterflyOfFire, 김인수, Manuela Silva, Pierfrancesco Passerini, Michal Čihař, 大王叫我来巡山, Dick Groskamp, Максим Горпиніч, Matthaiks, γλωσσολαλιά, Turkish Language Team 🇹🇷, Besnik Bleta, Massimo Pissarello, មនុញ្ញ - MᴇᴀнNսɴн, Jim Kats, Aindriú Mac Giolla Eoin, VfBFan

Documentation contributions
Michal Čihař, ZhuHengjin, Edison, aditi-agni, aditi, Edison Dao, biplopghimire

All changes in detail.