Weblate: >> Weblate >> 0.3 Security Vulnerabilities
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-06-16
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-06-16
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.
CVSS Score
2.2
EPSS Score
0.001
Published
2025-04-15
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
CVSS Score
7.2
EPSS Score
0.011
Published
2022-03-04
Weblate is a copyleft software web-based continuous localization system. Versions prior to 4.11 do not properly neutralize user input used in user name and language fields. Due to this improper neutralization it is possible to perform cross-site scripting via these fields. The issues were fixed in the 4.11 release. Users unable to upgrade are advised to add their own neutralize logic.
CVSS Score
5.4
EPSS Score
0.003
Published
2022-02-25
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
CVSS Score
5.3
EPSS Score
0.005
Published
2017-03-15