{"id":"GHSA-3pmh-24wp-xpf4","summary":"Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)","details":"### Impact\n\nIt was possible to retrieve user notification settings or list all users via API.\n\n### Patches\n\n* https://github.com/WeblateOrg/weblate/pull/17256\n\n### References\n\nThanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to Weblate.","aliases":["CVE-2025-67715"],"modified":"2025-12-20T03:05:53.087153Z","published":"2025-12-15T22:32:03Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-284","CWE-285"],"nvd_published_at":"2025-12-16T01:15:52Z","github_reviewed_at":"2025-12-15T22:32:03Z"},"references":[{"type":"WEB","url":"https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67715"},{"type":"WEB","url":"https://github.com/WeblateOrg/weblate/pull/17256"},{"type":"PACKAGE","url":"https://github.com/WeblateOrg/weblate"}],"affected":[{"package":{"name":"weblate","ecosystem":"PyPI","purl":"pkg:pypi/weblate"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15"}]}],"versions":["1.9","2.0","2.1","2.10","2.10.1","2.11","2.12","2.13","2.13.1","2.14","2.14.1","2.15","2.16","2.17","2.17.1","2.18","2.19","2.19.1","2.2","2.20","2.3","2.4","2.5","2.6","2.7","2.8","2.9","3.0","3.0.1","3.1","3.1.1","3.10","3.10.1","3.10.2","3.10.3","3.11","3.11.1","3.11.2","3.11.3","3.2","3.2.1","3.2.2","3.3","3.4","3.5","3.5.1","3.6","3.6.1","3.7","3.7.1","3.8","3.9","3.9.1","4.0","4.0.1","4.0.2","4.0.3","4.0.4","4.1","4.1.1","4.10","4.10.1","4.11","4.11.1","4.11.2","4.12","4.12.1","4.12.2","4.13","4.13.1","4.14","4.14.1","4.14.2","4.15","4.15.1","4.15.2","4.16","4.16.1","4.16.2","4.16.3","4.16.4","4.17","4.18","4.18.1","4.18.2","4.2","4.2.1","4.2.2","4.3","4.3.1","4.3.2","4.4","4.4.1","4.4.2","4.5","4.5.1","4.5.2","4.5.3","4.6","4.6.1","4.6.2","4.7","4.7.1","4.7.2","4.8","4.8.1","4.9","4.9.1","5.0","5.0.1","5.0.2","5.1","5.1.1","5.10","5.10.1","5.10.2","5.10.3","5.10.4","5.11","5.11.1","5.11.3","5.11.4","5.12.1","5.12.2","5.13","5.13.1","5.13.2","5.13.3","5.14","5.14.1","5.14.2","5.14.3","5.2","5.2.1","5.3","5.3.1","5.4","5.4.1","5.4.2","5.4.3","5.5","5.5.2","5.5.3","5.5.4","5.5.5","5.6","5.6.1","5.6.2","5.7","5.7.1","5.7.2","5.8.1","5.8.2","5.8.3","5.8.4","5.9.1","5.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3pmh-24wp-xpf4/GHSA-3pmh-24wp-xpf4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}