VYPR
← All advisories
Low severityOSV Advisory· Published Dec 15, 2025· Updated Dec 15, 2025

Weblate has improper validation upon invitation acceptance

CVE-2025-64725

Description

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
WeblatePyPI
< 5.155.15

Affected products

1

Patches

1
02e904675f06

fix: validate invitation while accepting

https://github.com/WeblateOrg/weblateMichal ČihařNov 13, 2025via ghsa
commit
1 file changed · +18 3
  • weblate/auth/views.py+18 3 modified
    @@ -26,6 +26,8 @@
 from weblate.wladmin.forms import ChangedCharField
 
 if TYPE_CHECKING:
+    from django.http import HttpResponse
+
     from weblate.auth.models import (
         AuthenticatedHttpRequest,
         User,
@@ -160,8 +162,9 @@ def form_invalid(self, form, formset):
 class InvitationView(DetailView):
     model = Invitation
 
-    def get(self, request: AuthenticatedHttpRequest, *args, **kwargs):
-        self.object = self.get_object()
+    def validate_invitation(
+        self, request: AuthenticatedHttpRequest
+    ) -> HttpResponse | None:
         if request.user.is_authenticated and self.object.user != request.user:
             # Invitation not for this user (either is for email and user is None or different user)
             messages.error(
@@ -175,10 +178,17 @@ def get(self, request: AuthenticatedHttpRequest, *args, **kwargs):
             # When inviting new user go through registration
             request.session["invitation_link"] = str(self.object.pk)
             return redirect("register")
+        return None
+
+    def get(self, request: AuthenticatedHttpRequest, *args, **kwargs) -> HttpResponse:
+        self.object = self.get_object()
+        validation_result = self.validate_invitation(request)
+        if validation_result is not None:
+            return validation_result
         context = self.get_context_data(object=self.object)
         return self.render_to_response(context)
 
-    def post(self, request: AuthenticatedHttpRequest, **kwargs):
+    def post(self, request: AuthenticatedHttpRequest, **kwargs) -> HttpResponse:
         self.object = invitation = self.get_object()
         user = request.user
 
@@ -214,6 +224,11 @@ def post(self, request: AuthenticatedHttpRequest, **kwargs):
         if invitation.user != user:
             raise Http404
 
+        # Check if this is for us
+        validation_result = self.validate_invitation(request)
+        if validation_result is not None:
+            return validation_result
+
         # Accept invitation
         invitation.accept(request, user)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.