Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Analysis
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Technical ContextAI
This vulnerability is classified as Improper Restriction of Excessive Authentication Attempts (CWE-307).
RemediationAI
A vendor patch is available. Apply it as soon as possible and verify the fix.
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter o
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limi
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when u
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded f
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabli
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpo
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS
Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Pub
Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassin
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email addres
Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,
Same technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #745661| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18400
GHSA-57jg-m997-cx3q