CVE-2025-64725

Critical

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user.…

GitHub_M·CWE-286·Published 2025-12-15

CVSS

9.8

EPSS

0.00

KEV

Exploits

cve.orgen

260 chars

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.

NVDen

260 chars

OSV.deven

345 chars

### Impact It was possible to accept an invitation opened by a different Weblate user. ### Patches * https://github.com/WeblateOrg/weblate/pull/16913 ### Workarounds Users should avoid leaving Weblate sessions with an unattended opened invitation. ### References Thanks to Nahid0x for responsibly disclosing this vulnerability to Weblate.

GHSAen

345 chars

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0	Primary	cve.org	1.0	—	—	CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
4.0	Primary	cve.org	1.0	—	—	CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
4.0	Secondary	NVD	1.0	—	—	CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
4.0	Secondary	GHSA	1.0	—	—	CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N