CVE-2025-49134
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-07-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Weblate versions prior to 5.12 involved audit log notifications that included the full IP address of the acting user. These IP addresses could be accessed by third-party servers such as SMTP relays or spam filters, potentially exposing user information unintentionally. The issue was fixed in version 5.12.
How can this vulnerability impact me? :
The vulnerability could lead to unintended exposure of users' full IP addresses to third-party servers, which may compromise user privacy and potentially be used for tracking or profiling users without their consent.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Weblate to version 5.12 or later, as this version includes a patch that prevents audit log notifications from including the full IP address of the acting user.