Refine your search
7 vulnerabilities found for by WeblateOrg
CVE-2025-68398 (GCVE-0-2025-68398)
Vulnerability from cvelistv5
Published
2025-12-18 23:00
Modified
2025-12-19 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:58:31.266182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:58:44.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T23:00:57.790Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17330",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17330"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17345"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1"
}
],
"source": {
"advisory": "GHSA-8vcg-cfxj-p5m3",
"discovery": "UNKNOWN"
},
"title": "Weblate has git config file overwrite vulnerability that leads to remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68398",
"datePublished": "2025-12-18T23:00:57.790Z",
"dateReserved": "2025-12-16T21:59:48.534Z",
"dateUpdated": "2025-12-19T14:58:44.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68279 (GCVE-0-2025-68279)
Vulnerability from cvelistv5
Published
2025-12-18 22:59
Modified
2025-12-19 15:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T15:01:48.050033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T15:02:04.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T22:59:28.527Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17331",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17331"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17356",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17356"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1"
}
],
"source": {
"advisory": "GHSA-g925-f788-4jh7",
"discovery": "UNKNOWN"
},
"title": "Weblate has an arbitrary file read via symbolic links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68279",
"datePublished": "2025-12-18T22:59:28.527Z",
"dateReserved": "2025-12-16T14:17:32.389Z",
"dateUpdated": "2025-12-19T15:02:04.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67715 (GCVE-0-2025-67715)
Vulnerability from cvelistv5
Published
2025-12-16 00:07
Modified
2025-12-16 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:36:56.761890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:09:05.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T00:07:42.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17256",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17256"
}
],
"source": {
"advisory": "GHSA-3pmh-24wp-xpf4",
"discovery": "UNKNOWN"
},
"title": "Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67715",
"datePublished": "2025-12-16T00:07:42.829Z",
"dateReserved": "2025-12-10T17:47:36.418Z",
"dateUpdated": "2025-12-16T15:09:05.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67492 (GCVE-0-2025-67492)
Vulnerability from cvelistv5
Published
2025-12-16 00:05
Modified
2025-12-16 19:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Summary
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T19:13:36.113449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T19:13:44.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T00:05:56.848Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17221",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17221"
}
],
"source": {
"advisory": "GHSA-pj86-258h-qrvf",
"discovery": "UNKNOWN"
},
"title": "Weblate\u0027s over\u2011permissive webhook endpoint enables mass repository updates and component enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67492",
"datePublished": "2025-12-16T00:05:56.848Z",
"dateReserved": "2025-12-08T18:49:47.487Z",
"dateUpdated": "2025-12-16T19:13:44.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66407 (GCVE-0-2025-66407)
Vulnerability from cvelistv5
Published
2025-12-15 23:36
Modified
2025-12-16 19:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T19:07:51.759310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T19:08:03.470Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application\u2019s error messages clearly differentiate between files that exist and files that do not, revealing information about the server\u2019s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T23:36:25.682Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17102",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17102"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/17103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/17103"
}
],
"source": {
"advisory": "GHSA-hfpv-mc5v-p9mm",
"discovery": "UNKNOWN"
},
"title": "Weblate has Server-Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66407",
"datePublished": "2025-12-15T23:36:25.682Z",
"dateReserved": "2025-11-28T23:33:56.365Z",
"dateUpdated": "2025-12-16T19:08:03.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64725 (GCVE-0-2025-64725)
Vulnerability from cvelistv5
Published
2025-12-15 20:21
Modified
2025-12-15 20:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-286 - Incorrect User Management
Summary
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T20:55:31.900035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:55:54.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one\u0027s Weblate sessions with an invitation opened unattended."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-286",
"description": "CWE-286: Incorrect User Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:21:06.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/16913",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/16913"
},
{
"name": "https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9"
},
{
"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15"
}
],
"source": {
"advisory": "GHSA-m6hq-f4w9-qrjj",
"discovery": "UNKNOWN"
},
"title": "Weblate has improper validation upon invitation acceptance"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64725",
"datePublished": "2025-12-15T20:21:06.867Z",
"dateReserved": "2025-11-10T14:07:42.923Z",
"dateUpdated": "2025-12-15T20:55:54.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64326 (GCVE-0-2025-64326)
Vulnerability from cvelistv5
Published
2025-11-06 20:55
Modified
2025-11-06 21:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
Summary
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WeblateOrg | weblate |
Version: < 5.14.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:17:50.466205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:18:02.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "weblate",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 5.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:55:17.594Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc"
},
{
"name": "https://github.com/WeblateOrg/weblate/pull/16781",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/weblate/pull/16781"
}
],
"source": {
"advisory": "GHSA-gr35-vpx2-qxhc",
"discovery": "UNKNOWN"
},
"title": "Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64326",
"datePublished": "2025-11-06T20:55:17.594Z",
"dateReserved": "2025-10-30T17:40:52.028Z",
"dateUpdated": "2025-11-06T21:18:02.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}