SCA: security update for weblate (GHSA-m67m-3p5g-cw9j)

high Tenable Self-Hosted Container Security Plugin ID 425658

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an
existing component that has a source code repository URL specified in settings, this URL is included in
the client's URL parameters during the creation process. If, for example, the source code repository URL
contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into
browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext.
If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is
patched in version 5.11. (CVE-2025-32021)

See Also

https://github.com/advisories/GHSA-m67m-3p5g-cw9j

Plugin Details

Severity: High

ID: 425658

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 4/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.93

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-32021

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/15/2025

Vulnerability Publication Date: 4/15/2025

Reference Information

CVE: CVE-2025-32021

cwe: CWE-598