CVE-2025-47951 — Weblate lacks rate limiting when verifying second factor

Description

### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

How to fix CVE-2025-47951

To remediate CVE-2025-47951, upgrade the affected package to a fixed version below.

—upgrade to 5.12 or later

Is CVE-2025-47951 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47951
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384
WEBgithub.com/WeblateOrg/weblate/pull/14918