CVE-2025-47951

Published: Jun 16, 2025Modified: Jul 16, 2025

4.9

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Exploitability: 1.8 / Impact: 2.7

Source: security-advisories@github.com (Secondary)

Description

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

Affected (1)

Products: Weblate: Weblate

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Weblate Weblate	Before 5.12

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (5)

https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384

Source: security-advisories@github.com

Patch

https://github.com/WeblateOrg/weblate/pull/14918

Source: security-advisories@github.com

Issue Tracking

https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1

Source: security-advisories@github.com

Release Notes

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q

Source: security-advisories@github.com

Vendor Advisory

https://hackerone.com/reports/3150564

Source: security-advisories@github.com

Permissions Required

Timeline

No history available yet.