PYSEC-2026-2039

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2039.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2039
Aliases
Published
2026-07-07T16:02:55.231866Z
Modified
2026-07-07T17:47:55.587125338Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Weblate lacks rate limiting when verifying second factor
Details

Impact

The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.

Patches

This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.

References

Thanks to obscuredeer for reporting this issue at HackerOne.

References

Affected packages

PyPI / weblate

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.12

Affected versions

1.*
1.9
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20
3.*
3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3
4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1
4.11
4.11.1
4.11.2
4.12
4.12.1
4.12.2
4.13
4.13.1
4.14
4.14.1
4.14.2
4.15
4.15.1
4.15.2
4.16
4.16.1
4.16.2
4.16.3
4.16.4
4.17
4.18
4.18.1
4.18.2
5.*
5.0
5.0.1
5.0.2
5.1
5.1.1
5.2
5.2.1
5.3
5.3.1
5.4
5.4.1
5.4.2
5.4.3
5.5
5.5.2
5.5.3
5.5.4
5.5.5
5.6
5.6.1
5.6.2
5.7
5.7.1
5.7.2
5.8.1
5.8.2
5.8.3
5.8.4
5.9.1
5.9.2
5.10
5.10.1
5.10.2
5.10.3
5.10.4
5.11
5.11.1
5.11.3
5.11.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2039.yaml"