CVE-2025-66407Cross-Site Request Forgery in Weblate

CWE-352Cross-Site Request ForgeryCWE-918Server-Side Request Forgery1 documents1 sources
Severity
5.0MEDIUMNVD
EPSS
0.0%
top 93.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weblateorg WeblateWeblate
Timeline
PublishedDec 16

Description

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial versi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

NVDweblate/weblate< 5.15
CVEListV5weblateorg/weblate< 5.15

Patches

Patch: github.comPatch: github.com