CVE-2025-61587

01.10.2025, 22:15

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECT_DOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an attacker-controlled site. The redirect can also be used to initiate drive-by downloads (redirecting to a URL that serves a malicious file), increasing the risk to end users. This issue is fixed in version 5.13.3.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
weblate	weblate	𝑥 < 5.13.3

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/WeblateOrg/docker/commit/76518342f65b8af8c2b7f7c5d37f84813c1253a1

https://github.com/WeblateOrg/weblate/commit/6b3d73a310279b5630bca8cbd9ea0be28bc67b63

https://github.com/WeblateOrg/weblate/commit/ec3b900f8a52c5c992d9e7014f09397e159ac381

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3xhv-r4gx-xw99