CVE-2025-47951Improper Restriction of Excessive Authentication Attempts in Weblate

CWE-307Improper Restriction of Excessive Authentication Attempts3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.2%
top 57.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weblateorg WeblateWeblate
Timeline
PublishedJun 16

Description

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 1.8 | Impact: 2.7

Affected Packages3 packages

NVDweblate/weblate< 5.12
PyPIweblate/weblate< 5.12
CVEListV5weblateorg/weblate< 5.12

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
Weblate lacks rate limiting when verifying second factor2025-06-16
OSV
Weblate lacks rate limiting when verifying second factor2025-06-16