CVE-2026-33435 — Relative Path Traversal in Weblate

CWE-23 — Relative Path Traversal CWE-94 — Code Injection CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.0HIGHNVD

EPSS

0.3%

top 44.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weblateorg Weblate Weblate

Timeline

PublishedApr 15

Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages2 packages

▶PyPIweblate/weblate< 5.17

▶CVEListV5weblateorg/weblate< 5.17

🔴Vulnerability Details

VulDB

weblate up to 5.16 Configuration path traversal (GHSA-558g-h753-6m33)↗2026-04-16

▶

GHSA

Weblate: Remote code execution during backup restoration↗2026-04-16

▶