CVE-2026-57942

MEDIUM

LibreTranslate - IP Spoofing via X-Forwarded-For Header

Title source: cna
STIX 2.1

Description

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.

Scores

CVSS v3 5.3
EPSS 0.0019
EPSS Percentile 9.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-348
Status published
Products (2)
LibreTranslate/LibreTranslate < 1.9.7
LibreTranslate/LibreTranslate 397fd224080515d4001a1bc60c8fed53e3c56b6f
Published Jun 29, 2026
Tracked Since Jun 29, 2026