VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nvm6-6nvn-vqff

Essentials
Severities (23)
References (8)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nvm6-6nvn-vqff
Aliases	CVE-2025-66407 GHSA-hfpv-mc5v-p9mm PYSEC-2025-231
Summary	Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-352	Cross-Site Request Forgery (CSRF)
CWE-918	Server-Side Request Forgery (SSRF)

System	Score	Found at
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-66407
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-66407
epss	0.00021	https://api.first.org/data/v1/epss?cve=CVE-2025-66407
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-hfpv-mc5v-p9mm
cvssv3.1	5.0	https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml
generic_textual	MODERATE	https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml
cvssv3.1	5.0	https://github.com/WeblateOrg/weblate
generic_textual	MODERATE	https://github.com/WeblateOrg/weblate
cvssv3.1	5	https://github.com/WeblateOrg/weblate/pull/17102
cvssv3.1	5.0	https://github.com/WeblateOrg/weblate/pull/17102
generic_textual	MODERATE	https://github.com/WeblateOrg/weblate/pull/17102
ssvc	Track	https://github.com/WeblateOrg/weblate/pull/17102
cvssv3.1	5	https://github.com/WeblateOrg/weblate/pull/17103
cvssv3.1	5.0	https://github.com/WeblateOrg/weblate/pull/17103
generic_textual	MODERATE	https://github.com/WeblateOrg/weblate/pull/17103
ssvc	Track	https://github.com/WeblateOrg/weblate/pull/17103
cvssv3.1	5	https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
cvssv3.1	5.0	https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
cvssv3.1_qr	MODERATE	https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
generic_textual	MODERATE	https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
ssvc	Track	https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm
cvssv3.1	5.0	https://nvd.nist.gov/vuln/detail/CVE-2025-66407
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-66407

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-66407
		https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml
		https://github.com/WeblateOrg/weblate
17102		https://github.com/WeblateOrg/weblate/pull/17102
17103		https://github.com/WeblateOrg/weblate/pull/17103
CVE-2025-66407		https://nvd.nist.gov/vuln/detail/CVE-2025-66407
GHSA-hfpv-mc5v-p9mm		https://github.com/advisories/GHSA-hfpv-mc5v-p9mm
GHSA-hfpv-mc5v-p9mm		https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-231.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/pull/17102

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/pull/17102

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/ Found at https://github.com/WeblateOrg/weblate/pull/17102

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/pull/17103

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/pull/17103

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/ Found at https://github.com/WeblateOrg/weblate/pull/17103

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-16T19:07:51Z/ Found at https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-66407

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.06046
EPSS Score	0.00021
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:59:49.499690+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/66xxx/CVE-2025-66407.json	38.6.0