CVE-2025-47951

medium

Description

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

References

https://hackerone.com/reports/3150564

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q

https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1

https://github.com/WeblateOrg/weblate/pull/14918

https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384

Details

Source: Mitre, NVD

Published: 2025-06-16

Updated: 2025-06-16

Named Vulnerability: unknown

Risk Information

CVSS v2

Base Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4.9

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Severity: Medium