CVE-2025-67492 — Weblate's over‑permissive webhook endpoint enables mass repository updates and c

Description

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.

How to fix CVE-2025-67492

To remediate CVE-2025-67492, upgrade the affected package to a fixed version below.

—upgrade to 5.15 or later
—upgrade to 5.15 or later

Is CVE-2025-67492 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.15
from 0, < 5.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67492
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-232.yaml
WEBgithub.com/WeblateOrg/weblate/pull/17221