CVE-2025-64326

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.

CVSS v3 2.6 LOW

2.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WeblateOrg/weblate/pull/16781	Issue Tracking
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

History

04 Dec 2025, 21:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:weblate:weblate::::::::
Summary		(es) Weblate es una herramienta de localización basada en web. En las versiones 5.14 e inferiores, Weblate filtra la dirección IP del miembro del proyecto que invita al usuario al proyecto en el registro de auditoría. El registro de auditoría incluye direcciones IP de acciones iniciadas por administradores, que pueden ser vistas por los usuarios invitados. Este problema está solucionado en la versión 5.14.1.
First Time		Weblate Weblate weblate
References	~~() https://github.com/WeblateOrg/weblate/pull/16781 -~~	() https://github.com/WeblateOrg/weblate/pull/16781 - Issue Tracking
References	~~() https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc -~~	() https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc - Patch, Vendor Advisory

06 Nov 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-06 21:15

Updated : 2025-12-04 21:35

NVD link : CVE-2025-64326

Mitre link : CVE-2025-64326

CVE.ORG link : CVE-2025-64326

JSON object : View

Products Affected

weblate

weblate

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

{"id": "CVE-2025-64326", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2025-11-06T21:15:43.957", "references": [{"url": "https://github.com/WeblateOrg/weblate/pull/16781", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-212"}]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1."}, {"lang": "es", "value": "Weblate es una herramienta de localizaci\u00f3n basada en web. En las versiones 5.14 e inferiores, Weblate filtra la direcci\u00f3n IP del miembro del proyecto que invita al usuario al proyecto en el registro de auditor\u00eda. El registro de auditor\u00eda incluye direcciones IP de acciones iniciadas por administradores, que pueden ser vistas por los usuarios invitados. Este problema est\u00e1 solucionado en la versi\u00f3n 5.14.1."}], "lastModified": "2025-12-04T21:35:38.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDF3215A-26DE-48CD-9D80-DAFBBF1105B6", "versionEndExcluding": "5.14.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}