Weblate has an arbitrary file read via symbolic links

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.

Basic Information

ID CVE-2025-68279

Source GitHub_M

Published Dec 18, 2025 at 22:59

Affected Product

Vendor WeblateOrg

Product weblate

Version < 5.15.1

Affected Versions WeblateOrg weblate < 5.15.1

CWE Classification

CWE-22 CWE-59 CWE-200

References

{
    "lastseen": "",
    "description": "Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.",
    "published": "2025-12-18T22:59:28.527Z",
    "modified": "2025-12-18T22:59:28.527Z",
    "type": "cve",
    "title": "Weblate has an arbitrary file read via symbolic links",
    "source": "GitHub_M",
    "references": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7\nhttps://github.com/WeblateOrg/weblate/pull/17331\nhttps://github.com/WeblateOrg/weblate/pull/17356\nhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1",
    "id": "CVE-2025-68279",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "WeblateOrg weblate < 5.15.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "weblate",
    "version": "< 5.15.1",
    "vendor": "WeblateOrg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Weblate has an arbitrary file read via symbolic links_CVE-2025-68279