Platform
python
Component
weblate
Fixed in
5.17.1
5.17
CVE-2026-33435 is a Remote Code Execution (RCE) vulnerability affecting Weblate versions 5.0.0 through 5.16. This vulnerability arises from insufficient filtering of Git and Mercurial configuration files during project backups, potentially allowing an attacker to execute arbitrary code. The vulnerability was reported by ggamno via HackerOne and has been addressed in Weblate 5.17.0.
The core of the vulnerability lies in the project backup functionality within Weblate. Specifically, the process responsible for creating backups of projects fails to adequately sanitize Git and Mercurial configuration files. An attacker who can trigger a project backup (typically by having project creation privileges) could craft malicious configuration files containing arbitrary code. When the backup is processed, this code could be executed on the Weblate server, leading to complete system compromise. The blast radius is significant, potentially impacting the entire server and any data stored within Weblate, including translations and project configurations. This vulnerability shares similarities with other file processing vulnerabilities where untrusted data is executed without proper validation.
CVE-2026-33435 was publicly disclosed on April 15, 2026. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that a POC is likely to be developed given sufficient time. The EPSS score is likely to be assessed as medium, reflecting the need for project creation privileges to exploit the vulnerability.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Weblate to version 5.17.0 or later, which includes the necessary filtering to prevent the RCE. If an immediate upgrade is not feasible, a temporary workaround involves restricting access to the project backup functionality. Specifically, limiting the ability to create new projects significantly reduces the attack surface, as an attacker would need project creation privileges to trigger the vulnerable backup process. Consider implementing Web Application Firewall (WAF) rules to block suspicious requests related to project backups, although this is not a substitute for patching. Monitor Weblate logs for unusual activity related to project backups, looking for unexpected file modifications or execution attempts.
Actualice Weblate a la versión 5.17 o posterior para mitigar la vulnerabilidad. Si no puede actualizar inmediatamente, restrinja el acceso a las copias de seguridad del proyecto, ya que solo son accesibles para usuarios con permisos para crear proyectos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33435 is a Remote Code Execution vulnerability in Weblate versions 5.0.0 through 5.16, allowing attackers to execute code during project backups if they have project creation privileges.
You are affected if you are running Weblate versions 5.0.0 through 5.16 and have not upgraded to 5.17.0 or later. Assess if users have project creation privileges.
Upgrade Weblate to version 5.17.0 or later. As a temporary workaround, restrict access to project creation to limit the attack surface.
There is currently no evidence of active exploitation in the wild, but the vulnerability's nature suggests it could be exploited.
Refer to the Weblate GitHub pull request: https://github.com/WeblateOrg/weblate/pull/18549
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.