CVE-2025-49134Exposure of Private Personal Information to an Unauthorized Actor in Weblate

CWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-476NULL Pointer Dereference4 documents4 sources
Severity
2.1LOWNVD
EPSS
0.3%
top 44.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Weblateorg WeblateWeblateMsrc Cbl2 Kernel 5.15.186.1-1 ON CBL Mariner 2.0+2 more
Timeline
PublishedJun 16

Description

Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages6 packages

NVDweblate/weblate< 5.12
PyPIweblate/weblate< 5.12
CVEListV5weblateorg/weblate< 5.12

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
Weblate exposes personal IP address via e-mail2025-06-16
GHSA
Weblate exposes personal IP address via e-mail2025-06-16

📋Vendor Advisories

1
Microsoft
mlxsw: spectrum: Guard against invalid local ports2025-02-11