CVE-2025-32021

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.11

Description The issue concerns a web-based localization tool where confidential credentials, such as GitHub Personal Access Tokens (PAT) and usernames, are exposed in plaintext when creating a new component from an existing one with a specified source code repository URL. These credentials can be saved in browser history and logged in plaintext if the request URL is logged, posing a significant security risk. This is particularly concerning when using the official Docker image, as nginx logs the URL and token in plaintext.

Recommendations For versions prior to 5.11, update to version 5.11 to resolve the issue. As a temporary workaround, consider avoiding the creation of new components from existing ones with source code repository URLs containing sensitive credentials until the update is applied. Restrict access to logs and browser history to minimize the risk of credential exposure.