Weblate has Systematic User and Project Enumeration via Broken Authorization...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

Basic Information

ID CVE-2025-67715

Source GitHub_M

Published Dec 16, 2025 at 00:07

Affected Product

Vendor WeblateOrg

Product weblate

Version < 5.15

Affected Versions WeblateOrg weblate < 5.15

CWE Classification

CWE-284 CWE-285

References

{
    "lastseen": "",
    "description": "Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.",
    "published": "2025-12-16T00:07:42.829Z",
    "modified": "2025-12-16T00:07:42.829Z",
    "type": "cve",
    "title": "Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)",
    "source": "GitHub_M",
    "references": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4\nhttps://github.com/WeblateOrg/weblate/pull/17256",
    "id": "CVE-2025-67715",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "WeblateOrg weblate < 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "weblate",
    "version": "< 5.15",
    "vendor": "WeblateOrg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)_CVE-2025-67715