CVE-2025-47951
low-risk
Published 2025-06-16
Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.
Do I need to act?
-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Weblate
Affected Vendors
References (5)
Issue Tracking
https://github.com/WeblateOrg/weblate/pull/14918
Permissions Required
https://hackerone.com/reports/3150564
22
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal