CVE-2026-33440Server-Side Request Forgery in Weblate

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
5.0MEDIUMNVD
EPSS
0.0%
top 93.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Weblateorg WeblateWeblate
Timeline
PublishedApr 15
Latest updateApr 16

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

PyPIweblate/weblate< 5.17
CVEListV5weblateorg/weblate< 5.17

🔴Vulnerability Details

2
GHSA
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads2026-04-16
VulDB
weblate up to 5.16 Setting ALLOWED_ASSET_DOMAINS server-side request forgery (GHSA-5fhx-9jwj-867m)2026-04-16