The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters.
This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/15102.
Thanks to micael1 for reporting this issue at HackerOne.
{ "severity": "LOW", "nvd_published_at": "2025-06-16T21:15:24Z", "github_reviewed_at": "2025-06-16T14:52:56Z", "github_reviewed": true, "cwe_ids": [ "CWE-359" ] }