CVE-2025-47951: 
Python vulnerability analysis and mitigation

Weblate, a web-based localization tool, was identified with a security vulnerability (CVE-2025-47951) affecting versions prior to 5.12. The vulnerability was discovered and disclosed on June 16, 2025. The issue involves the absence of rate limiting on the second-factor authentication verification endpoint, which affects the security of the two-factor authentication mechanism (GitHub Advisory, NVD).

The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts) with a CVSS v3.1 base score of 4.9 (Medium). The attack vector is Network-based with High attack complexity, requiring Low privileges and No user interaction. The scope is Changed, with Low impact on both Confidentiality and Integrity, and No impact on Availability (GitHub Advisory, NVD).

An attacker with valid credentials could exploit this vulnerability to automate OTP (One-Time Password) guessing attempts against the second-factor authentication mechanism, potentially leading to unauthorized access to user accounts (GitHub Advisory).

This security issue has been patched in Weblate version 5.12. Users are strongly advised to upgrade to this version or later to address the vulnerability. The fix was implemented through pull request #14918 (GitHub PR, GitHub Commit).

The vulnerability was initially reported through HackerOne by security researcher obscuredeer, demonstrating the effectiveness of the bug bounty program in identifying security issues (GitHub Advisory).