CVE-2026-33435

CVSS v3.1

8.0

High

Vector

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17

Description Project backup fails to filter Git and Mercurial configuration files, which could lead to remote code execution under certain circumstances.

Recommendations Update to version 5.17. Restrict access to the project backup to limit the scope of the issue, as this feature is only accessible to users with project creation privileges.

Fix

Code Injection

Relative Path Traversal

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-23CWE-434

Related Identifiers

CVE-2026-33435

GHSA-558G-H753-6M33

PYSEC-2026-154

Affected Products

Weblate

CVE-2026-33435

Weakness Enumeration

Related Identifiers

Affected Products

References · 7