LOW 2.6 PyPI
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
GHSA-gr35-vpx2-qxhc · CVE-2025-64326 · PYSEC-2025-126 · PYSEC-2025-230
Published · Modified
Description
Summary
Weblate leaks the IP address of the project member inviting the user to the project in the audit log.
Details
The audit log included IP addresses from admin-triggered actions, and those could be viewed by invited users.
Impact
The inviting user's (admin's) IP address could be leaked to invited users.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-64326
- WEB https://github.com/WeblateOrg/weblate/pull/16781
- WEB https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes