CVE-2025-49134: 
Python vulnerability analysis and mitigation

Weblate, a web-based localization tool, was found to have a privacy vulnerability identified as CVE-2025-49134. Prior to version 5.12, the software's audit log notifications included the full IP address of the acting user, which could be exposed to third-party servers such as SMTP relays or spam filters. The vulnerability was discovered and reported through HackerOne, and was officially published on June 16, 2025 (GitHub Advisory).

The vulnerability is classified as Low severity with a CVSS v4.0 base score of 2.1. The CVSS vector string is CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N, indicating that while the vulnerability is network-accessible, it requires high attack complexity and high privileges to exploit. The vulnerability is categorized as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of users' full IP addresses to third-party servers involved in email delivery, such as SMTP relays and spam filters. This represents a privacy concern as it could allow these third parties to collect and potentially misuse users' IP address information (GitHub Advisory).

The vulnerability has been patched in Weblate version 5.12. The fix involves implementing IP address anonymization in notification emails, where instead of including the full IP address, the system now uses a shortened version that only includes the network portion of the address. For IPv4 addresses, it shows only the first 16 bits, and for IPv6 addresses, it shows only the first 48 bits (GitHub Commit).