6.9
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Description
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
Basic Information
ID
CVE-2026-57942
Source
VulnCheck
Published
Jun 29, 2026 at 17:17
Affected Product
Vendor
LibreTranslate
Product
LibreTranslate
Affected Versions
LibreTranslate LibreTranslate 0