CVE-2025-61587 LOW

CVE-2025-61587: Weblate integration with Anubis can lead to Open Redirect via redir parameter

Vendor Weblateorg
Product weblate
Weakness CWE-601 · Open redirect
Published October 1, 2025
Last update October 6, 2025

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.

Key dates

02Disclosure timeline

October 1, 2025 CVE published
October 6, 2025 Record updated