CVE-2025-67715 — Weblate has Systematic User and Project Enumeration via Broken Authorization in

Description

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.

How to fix CVE-2025-67715

To remediate CVE-2025-67715, upgrade the affected package to a fixed version below.

PyPI/weblate—upgrade to 5.15 or later
—upgrade to 5.15 or later

Is CVE-2025-67715 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.15
from 0, < 5.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67715
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-233.yaml
WEBgithub.com/WeblateOrg/weblate/pull/17256