Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both version control system and source code repository URL pull from. However, prior 5.15, the field not validated or sanitized, allowing an attacker supply arbitrary protocols, hostnames, IP addresses, including localhost, internal network local filenames. When Mercurial selected, exposes full server-side HTTP response for provided URL. This effectively creates request forgery (SSRF) primitive that can probe services return their contents. In addition accessing endpoints, behavior also enables file enumeration attempting file:// requests. While contents may always be returned, application’s error messages clearly differentiate between files exist do not, revealing information about server’s filesystem layout. cloud environments, this particularly dangerous, as internal-only endpoints such metadata accessible, potentially leading credential disclosure environment compromise. has been addressed 5.15 release. As workaround, remove from `VCS_BACKENDS`; Git backend affected. was already configured block protocol does expose content message.