weblate is vulnerable to information disclosure in its password reset form. When entering an arbitrary email address in the password reset form, it will report back “User with this email address was not found”, allowing to figure out which user accounts exist on the weblate instance.