Tolgee

tolgee

6 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (6)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-32251 1Tolgee 1Tolgee Mar 20, 2026 Mar 12, 2026 9.3 CRITICAL· v4 6.5 MEDIUM· v3 N/A· v2 Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can im...Show more Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.Show less
CVE-2024-52297 1Tolgee 1Tolgee Sep 11, 2025 Nov 12, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2.
CVE-2024-32470 1Tolgee 1Tolgee Sep 11, 2025 Apr 18, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.
CVE-2024-32466 1Tolgee 1Tolgee Sep 11, 2025 Apr 18, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` sc...Show more Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2 Show less
CVE-2023-41316 1Tolgee 1Tolgee Nov 21, 2024 Sep 7, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from...Show more Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitation emails which appear as legitimate org invitations. Bad actors may direct users to malicious website or execute javascript in the context of the users browser. This vulnerability has been addressed in version 3.29.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2023-38510 1Tolgee 1Tolgee Nov 21, 2024 Jul 27, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key,...Show more Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1.Show less