CVE-2025-68398

CRITICAL

Weblate < 5.15.1 - Path Traversal

Title source: rule

Description

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

References (6)

[Vendor Advisory] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3

[Issue Tracking] https://github.com/WeblateOrg/weblate/pull/17330

[Issue Tracking] https://github.com/WeblateOrg/weblate/pull/17345

[Patch] https://github.com/WeblateOrg/weblate/commit/4837a4154390f7c1d03c0e398aa6439dcfa361b4

[Patch] https://github.com/WeblateOrg/weblate/commit/dd8c9d7b00eebe28770fa0e2cd96126791765ea7

View Patch ZIP pw:eip

[Release Notes] https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1

Scores

CVSS v3 9.1

EPSS 0.0028

EPSS Percentile 51.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-434 CWE-20

Status published

Products (2)

pypi/Weblate 0 - 5.15.1PyPI

weblate/weblate < 5.15.1

Published Dec 18, 2025

Tracked Since Feb 18, 2026