Description

Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.

INFO

Published Date :

2025-04-15T20:39:09.253Z

Last Modified :

2025-04-16T14:49:51.412Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-32021 vulnerability.

Vendors Products
Weblate
  • Weblate
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-32021.

URL Resource
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.11 cve-icon cve-icon
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact