High severity8.0NVD Advisory· Published Apr 15, 2026· Updated Apr 21, 2026

CVE-2026-33435

Description

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
weblatePyPI	< 5.17	5.17

Affected products

Weblate/Weblate
cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*
Range: <5.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WeblateOrg/weblate/pull/18549nvdIssue TrackingPatchWEB
github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-558g-h753-6m33ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33435ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.520
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000