CVE-2025-47951

MEDIUM

Weblate < 5.12 - Brute Force

Title source: rule

Description

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

References (5)

[Vendor Advisory] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q

[Issue Tracking] https://github.com/WeblateOrg/weblate/pull/14918

[Patch] https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384

View Patch ZIP pw:eip

[Permissions Required] https://hackerone.com/reports/3150564

[Release Notes] https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1

Scores

CVSS v3 4.9

EPSS 0.0020

EPSS Percentile 42.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (2)

pypi/weblate 0 - 5.12PyPI

weblate/weblate < 5.12

Published Jun 16, 2025

Tracked Since Feb 18, 2026