CVE-2025-47951

Weblate (localization tool) prior to version 5.12 lacked rate limiting on the second-factor verification endpoint. This allowed an attacker with valid credentials to automate OTP guessing, potentially evading authentication controls. The vulnerability has been fixed in Weblate 5.12 (and patched i...

Weblate exposes personal IP address via e-mail

Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/15102. References Thanks to...

Weblate lacks rate limiting when verifying second factor

Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. Patches This issue has been addressed in Weblate 5.12 via...

CVE-2025-32021

CVE-2025-32021 concerns Weblate before 5.11, where creating a new component from an existing one could leak VCS credentials. If the source repository URL is present in settings, that URL is carried in client URL parameters during creation; credentials such as GitHub PATs and usernames could appea...