Weblate is a web-based localization platform that supports multiple version control backends, including Mercurial and Git. In versions prior to 5.15, the 'Create Component' feature allows authorized users to add new translation components by specifying a version control system and a repository URL. However, the repository URL input is not validated or sanitized, permitting attackers to supply arbitrary protocols, hostnames, IP addresses (including localhost and internal network addresses), and local file paths. When the Mercurial backend is selected, Weblate processes the URL and exposes the full server-side HTTP response in error messages. This behavior creates a server-side request forgery (SSRF) primitive, enabling attackers to probe internal HTTP services that are otherwise inaccessible from the outside. Additionally, the vulnerability allows local file enumeration via file:// requests; while file contents may not always be disclosed, error messages reveal whether files exist, leaking filesystem layout information. In cloud environments, this is particularly dangerous because internal-only endpoints such as cloud metadata services can be accessed, potentially leading to credential disclosure and full environment compromise. The Git backend is not vulnerable because it blocks the file protocol and does not expose HTTP response content in errors. The vulnerability is tracked as CVE-2025-66407 with a CVSS 3.1 base score of 5.0 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and partial confidentiality impact. The issue was resolved in Weblate 5.15 by adding validation and sanitization of repository URLs. As a workaround, removing Mercurial from the VCS_BACKENDS configuration disables the vulnerable code path.

For European organizations, this vulnerability poses a significant risk especially for those using Weblate in cloud or hybrid environments with Mercurial enabled. Exploitation can lead to internal network reconnaissance, exposing sensitive internal services and infrastructure details. The ability to enumerate local files can reveal server filesystem structure, aiding further attacks. In cloud deployments, access to metadata services can result in credential theft, enabling attackers to escalate privileges and compromise the entire environment. This can disrupt localization workflows, leak intellectual property, and potentially lead to broader network compromise. Organizations relying on Weblate for critical translation and localization tasks may face operational disruptions and data confidentiality breaches. The requirement for authenticated access limits exposure but insider threats or compromised accounts could exploit this vulnerability. Given the widespread use of Weblate in software development and localization across Europe, the impact is non-trivial, particularly for sectors with sensitive data such as finance, government, and technology.

The primary mitigation is to upgrade Weblate to version 5.15 or later, where the vulnerability is fixed by proper validation and sanitization of repository URLs. If immediate upgrade is not feasible, administrators should remove the Mercurial backend from the VCS_BACKENDS configuration to disable the vulnerable functionality. Additionally, organizations should enforce strict access controls and monitoring on Weblate instances to detect suspicious activity. Network segmentation should be employed to limit Weblate server access to internal services and metadata endpoints. Implementing Web Application Firewalls (WAFs) with rules to detect and block SSRF attempts targeting internal IP ranges and file protocols can provide additional protection. Regular auditing of user privileges and multi-factor authentication can reduce the risk of account compromise. Finally, reviewing and restricting error message verbosity to avoid leaking sensitive internal response data is recommended.