Medium severity6.8NVD Advisory· Published Apr 15, 2026· Updated Apr 21, 2026

CVE-2026-33220

Description

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
weblatePyPI	< 5.17	5.17

Affected products

Weblate/Weblate
cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Range: <5.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WeblateOrg/weblate/pull/18516nvdIssue TrackingPatchWEB
github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfmnvdThird Party AdvisoryWEB
github.com/advisories/GHSA-mqph-7h49-hqfmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33220ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000