CVE-2025-68279

Description

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected products

WeblateOrg / weblate< 5.15.1 – < 5.15.1

References

VENDOR_ADVISORYhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7
PATCHhttps://github.com/WeblateOrg/weblate/pull/17331
PATCHhttps://github.com/WeblateOrg/weblate/pull/17356
PATCHhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1