GHSA-pj86-258h-qrvf

Опубликовано: 15 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration

Impact

It was possible to trigger repository updates for many repositories via a crafted webhook payload.

Patches

https://github.com/WeblateOrg/weblate/pull/17221

Workarounds

Disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

References

Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to us.

Ссылки

Пакеты

Наименование

Weblate

pip

Затронутые версииВерсия исправления

< 5.15

5.15

EPSS

Процентиль: 7%

0.00028

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-67492

Дефекты

CWE-1286

Связанные уязвимости

CVE-2025-67492

CVSS3: 5.3

nvd

около 2 месяцев назад

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

CVE-2025-67492

CVSS3: 5.3

debian

около 2 месяцев назад

Weblate is a web based localization tool. In versions prior to 5.15, i ...

EPSS

Процентиль: 7%

0.00028

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-67492

Дефекты

CWE-1286