HIGH 7.7 PyPI
Weblate has an arbitrary file read via symbolic links
GHSA-g925-f788-4jh7 · CVE-2025-68279
Published · Modified
Description
Impact
It was possible to read arbitrary files from the server file system using crafted symbolic links in the repository.
Resources
Thanks to Jason Marcello for responsible disclosure.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-68279
- WEB https://github.com/WeblateOrg/weblate/pull/17331
- WEB https://github.com/WeblateOrg/weblate/pull/17356
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes