CVE-2025-67715 MEDIUM

CVE-2025-67715: Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Vendor Weblateorg
Product weblate
Weakness CWE-284
Published December 16, 2025
Last update December 16, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
December 16, 2025 Record updated