[1.41.0]
Update weblate to 5.17.1
Full Changelog
Image URLs in Markdown are now escaped before rendering (GHSA-5cmv-3rc4-7279).
Tightened Weblate's REST API input validation to prevent translation enumeration (GHSA-gcg5-86jr-f7jg).
Project backup imports now revalidate component repository URLs before restoring from backup (CVE 2026-41654 / GHSA-cwcx-382v-8m9g).
Add-ons that opt in to manual triggering can now be run from add-on management and the Add-ons.
Admins can now clean up blocked or abusive users by reverting edits, rejecting pending suggestions, and deleting comments across project or site-wide scopes.
Admin user management can now find users by audit log IP address.
Added LTEngine machine translation service.
Password changes now regenerate personal API keys by default (CVE 2026-41519 / GHSA-6j8j-4qp3-36p2).
VCS_RESTRICT_PRIVATE and WEBHOOK_RESTRICT_PRIVATE now reject URLs whose hostnames cannot be resolved during validation unless the host is explicitly allowed.
Uploads now enforce TRANSLATION_UPLOAD_MAX_SIZE, COMPONENT_ZIP_UPLOAD_MAX_SIZE, and PROJECT_BACKUP_UPLOAD_MAX_SIZE before parsing. Component ZIP imports and project backup restores now share stricter ZIP archive safety checks, including total uncompressed data limits for project backup imports.