Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN898
_____________________________________________________________________

DATE                : 23/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Weblate (pip) versions prior to
                                        5.15.1.

=====================================================================
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7
_____________________________________________________________________


Arbitrary file read via symbolic links
High
nijel published GHSA-g925-f788-4jh7 Dec 18, 2025

Package
Weblate (pip)

Affected versions
<5.15.1

Patched versions
5.15.1


Description

Impact

It was possible to read arbitrary files from the server file system
using crafted symbolic links in the repository.


Patches

    #17331
    #17356


References

Thanks to Jason Marcello for responsible disclosure.

Severity
High
7.7/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE ID
CVE-2025-68279

Weaknesses
Weakness CWE-22
Weakness CWE-59
Weakness CWE-200

Credits

    @secjson secjson Reporter
    @nijel nijel Remediation developer

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================