weblate
में ठीक किया गया
5.17.1
5.17
CVE-2026-33220 is a medium-severity vulnerability affecting Weblate versions 0.0.0 through 5.16. The translation memory API exposed unintended endpoints without proper access controls, potentially allowing unauthorized access to sensitive data. This issue has been resolved in version 5.17.0, and a CDN add-on workaround is available.
The core impact of CVE-2026-33220 lies in the exposure of Weblate's translation memory API endpoints without adequate access control mechanisms. An attacker could exploit this to potentially retrieve or manipulate translation data, including potentially sensitive content managed within Weblate projects. The extent of the data at risk depends on the specific data stored within the translation memories. While the description doesn't explicitly mention lateral movement, successful exploitation could lead to unauthorized access to other systems if Weblate is integrated with other services or if the attacker gains credentials through the exposed API.
CVE-2026-33220 was responsibly reported via GitHub by @spbavarva. As of the publication date (2026-04-15), there is no indication of active exploitation or KEV listing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a suitable payload is developed.
Organizations using Weblate for translation management, particularly those with sensitive content stored within translation memories, are at risk. This includes teams relying on Weblate for software localization, documentation translation, or other content translation workflows. Those using older Weblate instances (0.0.0 - 5.16) are particularly vulnerable.
• python / server:
# Check for Weblate version
python3 -c 'import weblate; print(weblate.__version__)'• generic web:
# Check for exposed API endpoints (example)
curl -I https://your-weblate-instance/api/tm/ # Look for 200 OK responses without authenticationdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (3% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-33220 is to upgrade Weblate to version 5.17.0 or later, which includes the necessary access control fixes. If an immediate upgrade is not feasible, consider enabling the CDN add-on, which is not enabled by default and can provide an additional layer of protection. Review Weblate's access control configuration to ensure that only authorized users have access to translation memories. After upgrading, confirm the fix by attempting to access the exposed API endpoints with unauthorized credentials and verifying that access is denied.
Weblate को संस्करण 5.17 या बाद के संस्करण में अपडेट करके इस भेद्यता को ठीक करें। यदि आप तुरंत अपडेट नहीं कर सकते हैं, तो जोखिम को कम करने के लिए CDN ऐड-ऑन को अक्षम करें, क्योंकि यह डिफ़ॉल्ट रूप से सक्षम नहीं है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33220 affects Weblate versions 0.0.0 through 5.16, exposing translation memory API endpoints without proper access control, potentially allowing unauthorized data access.
If you are running Weblate versions 0.0.0 through 5.16, you are potentially affected by this vulnerability. Upgrade to 5.17.0 to mitigate the risk.
Upgrade Weblate to version 5.17.0 or later. As a temporary workaround, enable the CDN add-on.
As of the publication date, there is no confirmed evidence of active exploitation of CVE-2026-33220.
Refer to the Weblate GitHub repository for updates and advisories: https://github.com/WeblateOrg/weblate/pull/18516
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।