← back
CVE-2025-68279

Weblate has an arbitrary file read via symbolic links

CVSS 7.7 HIGHEPSS 0.3%CWE-200CWE-22CWE-59
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
WeblateOrg · weblate

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/WeblateOrg/weblate/pull/17331https://github.com/WeblateOrg/weblate/pull/17356https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7