There are so many good things happening with Weblate recently that we don't know what to do first. Well, you'll read about the first major version of the year 2026 now and about the experience of our team at FOSDEM'26 a few days after.
Weblate 5.16 is not as generous as some other majors; the team was traveling, but there are still changes we want to talk about!
The one that Hosted Weblate (and other instances using the Billing module) users will experience is the move of the Billing permission to the billing page. It was a bit chaotic to have it on the project Users page for multi-project teams.
Next, our team continues with the effort to expand the options of file format customization. The file encoding setting was moved to that page, and duplicate handling was introduced there for MD, HTML, and TXT files.
For those who choose to raise the privacy, a new setting was added next to the private commit email address setting in your Profile—a private name. Credits are sometimes less important than privacy, right?
What we want to call out publicly is the work of our amazing translation contributors; the most visible additions this release are two new languages of the documentation—Indonesian and Swedish. Large contributions like this also got a new feature to make them easier to process; even if you opt for the Suggestions workflow, the Bulk Edit now enables accepting suggestions from a selected user.
Lastly, there are two new checks to improve your translations' quality: one for correct XML surrounding characters and the other for misplaced capital letters. You can say these are niche use cases, but is that ever a reason not to strive for higher quality?
The one more thing this time is a resolved security advisory; yes, security researchers really like to target Weblate recently, and we are glad for their work. Even though numerous reports turn out to be false, this one was of moderate severity, and we patched it quickly thanks to the report from Alex. The SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to ssh-add. Never misused, now reported.
Don't hesitate, update! And come back here on Friday!
