Weblateorg Weblate vulnerabilities

CVE-2025-61587 [LOW] CWE-601 CVE-2025-61587: Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via t Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to in

CVE-2025-58352 [LOW] CWE-613 CVE-2025-58352: Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that ca Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1.

CVE-2025-47951 [MEDIUM] CWE-307 CVE-2025-47951: Weblate is a web based localization tool. Prior to version 5.12, the verification of the second fact Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

CVE-2025-49134 [LOW] CWE-359 CVE-2025-49134: Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications include Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.

CVE-2025-32021 [HIGH] CWE-598 CVE-2025-32021: Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confident

CVE-2024-39303 [MEDIUM] CWE-73 CVE-2024-39303: Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

CVE-2022-24710 [MEDIUM] CWE-79 CVE-2022-24710: Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do n Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised