Weblate
by Weblateorg
Source repositories
CVEs (34)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68398 | 0.00 | — | 0.00 | Dec 18, 2025 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | |||
| CVE-2025-68279 | 0.00 | — | 0.00 | Dec 18, 2025 | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | |||
| CVE-2025-67715 | 0.00 | — | 0.00 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | |||
| CVE-2025-67492 | 0.00 | — | 0.00 | Dec 16, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this… | |||
| CVE-2025-66407 | 0.00 | — | 0.00 | Dec 15, 2025 | Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the… | |||
| CVE-2025-64725 | 0.00 | — | 0.00 | Dec 15, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | |||
| CVE-2025-64326 | 0.00 | — | 0.00 | Nov 6, 2025 | Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users.… | |||
| CVE-2025-61587 | 0.00 | — | 0.00 | Oct 1, 2025 | Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a… | |||
| CVE-2025-58352 | 0.00 | — | 0.00 | Sep 4, 2025 | Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in… | |||
| CVE-2025-49134 | 0.00 | — | 0.00 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12. | |||
| CVE-2025-47951 | 0.00 | — | 0.00 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has… | |||
| CVE-2025-32021 | 0.00 | — | 0.00 | Apr 15, 2025 | Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for… | |||
| CVE-2024-39303 | 0.00 | — | 0.00 | Jul 1, 2024 | Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate… | |||
| CVE-2022-24710 | 0.00 | — | 0.01 | Feb 25, 2022 | Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The… |
- CVE-2025-68398Dec 18, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
- CVE-2025-68279Dec 18, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
- CVE-2025-67715Dec 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
- CVE-2025-67492Dec 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this…
- CVE-2025-66407Dec 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the…
- CVE-2025-64725Dec 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
- CVE-2025-64326Nov 6, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users.…
- CVE-2025-61587Oct 1, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a…
- CVE-2025-58352Sep 4, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in…
- CVE-2025-49134Jun 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
- CVE-2025-47951Jun 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has…
- CVE-2025-32021Apr 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for…
- CVE-2024-39303Jul 1, 2024risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate…
- CVE-2022-24710Feb 25, 2022risk 0.00cvss —epss 0.01
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The…
Page 2 of 2