CVE-2026-57942
LibreTranslate - IP Spoofing via X-Forwarded-For Header
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
| CWE | CWE-348 |
| Vendor | libretranslate |
| Product | libretranslate |
| Published | Jun 29, 2026 |
| Last Updated | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for libretranslate libretranslate
Be the first to know when new medium vulnerabilities affecting libretranslate libretranslate are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
LibreTranslate / LibreTranslate
0 โค 1.9.7
References
github.com: https://github.com/LibreTranslate/LibreTranslate/issues/986 github.com: https://github.com/LibreTranslate/LibreTranslate/pull/987 github.com: https://github.com/LibreTranslate/LibreTranslate/commit/397fd224080515d4001a1bc60c8fed53e3c56b6f vulncheck.com: https://www.vulncheck.com/advisories/libretranslate-ip-spoofing-via-x-forwarded-for-header
Credits
George Chen