High severity8.0NVD Advisory· Published Apr 15, 2026· Updated Apr 21, 2026
CVE-2026-33435
CVE-2026-33435
Description
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WeblatePyPI | < 5.17 | 5.17 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/WeblateOrg/weblate/pull/18549nvdIssue TrackingPatchWEB
- github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-558g-h753-6m33ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33435ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-154.yamlghsaWEB
News mentions
0No linked articles in our index yet.