CVE-2025-68279

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WeblateOrg/weblate/pull/17331	Issue Tracking Patch
https://github.com/WeblateOrg/weblate/pull/17356	Issue Tracking Patch
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1	Release Notes
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-18 23:15

Updated : 2026-01-02 16:33

NVD link : CVE-2025-68279

Mitre link : CVE-2025-68279

CVE.ORG link : CVE-2025-68279

JSON object : View

Products Affected

weblate

weblate

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-68279", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-12-18T23:15:48.863", "references": [{"url": "https://github.com/WeblateOrg/weblate/pull/17331", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/pull/17356", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue."}], "lastModified": "2026-01-02T16:33:54.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D694E7D3-F4E0-44F5-B2EE-9B6EDDA4607F", "versionEndExcluding": "5.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}