CVE-2025-47951 – weblate

Package

Manager: pip
Name: weblate
Vulnerable Version: >=0 <5.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00042 pctl0.11786

Details

Weblate lacks rate limiting when verifying second factor ### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

Metadata

Created: 2025-06-16T14:52:53Z
Modified: 2025-06-16T21:47:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-57jg-m997-cx3q/GHSA-57jg-m997-cx3q.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-57jg-m997-cx3q
Finding: F053
Auto approve: 1