CVE-2025-68398 — Improper Input Validation in Weblate

CWE-20 — Improper Input Validation CWE-22 — Path Traversal CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.3%

top 48.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblateorg Weblate Weblate

Timeline

PublishedDec 18

Description

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDweblate/weblate< 5.15.1

▶PyPIweblate/weblate< 5.15.1

▶CVEListV5weblateorg/weblate< 5.15.1

🔴Vulnerability Details

GHSA

Weblate is vulnerable to RCE through Git config file overwrite↗2025-12-18

▶

OSV

Weblate is vulnerable to RCE through Git config file overwrite↗2025-12-18

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68398 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶