{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33220", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-04-15T18:03:40.728Z", "dateUpdated": "2026-04-16T14:10:15.340Z"}, "containers": {"cna": {"title": "Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18516", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18516"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:03:40.728Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default."}], "source": {"advisory": "GHSA-mqph-7h49-hqfm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:09:48.641668Z", "id": "CVE-2026-33220", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:10:15.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:09:48.641668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:10:05.870Z"}}], "cna": {"title": "Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository", "source": {"advisory": "GHSA-mqph-7h49-hqfm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18516", "name": "https://github.com/WeblateOrg/weblate/pull/18516", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:03:40.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33220", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:10:15.340Z", "dateReserved": "2026-03-17T23:23:58.314Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T18:03:40.728Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "64AD3B80-D39E-4EAF-9CF8-B4D3C8A6C58A", "versionEndExcluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default."}], "id": "CVE-2026-33220", "lastModified": "2026-04-21T14:10:42.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:35.130", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/weblate/pull/18516"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-15T22:15:18.481446+00:00", "value": {"mitigation_remediation": ["Update Weblate to version 5.17 or later, which removes the exposed endpoints and enforces proper access control.", "If an upgrade cannot be performed immediately, configure the CDN add\u2011on to be disabled so that the vulnerable feature remains inactive.", "Verify that the translation memory API endpoints are no longer reachable without proper authorization and monitor logs for any anomalous access attempts."], "summary": {"action": "Patch Now", "impact": "Arbitrary Local File Read"}, "threat_synthesis": {"affected_systems": "The flaw is present in all Weblate installations from WeblateOrg that run versions earlier than 5.17. It is specifically tied to the CDN add\u2011on, a feature that is not enabled by default but can be activated by administrators.", "description_and_impact": "In Weblate versions below 5.17, the translation memory API exposed unintended endpoints that did not enforce proper access control. An attacker can abuse these endpoints to read any local file on the server, including files outside the project repository. This allows the disclosure of sensitive data and represents a confidentiality compromise.", "risk_and_exploitability": "The CVSS score of 6.8 reflects a moderate severity, with a missing EPSS score and no presence in the KEV catalog. The vulnerability can be exploited by users who are able to reach the exposed API endpoints, which may include authenticated users or any user with network access to the web application. Because the attack bypasses access controls, an attacker can read arbitrary files on the host machine. Mitigation requires an update or disabling of the add\u2011on to block the vulnerable endpoints."}}}}, "created": "2026-04-15T22:30:16.053320+00:00", "updated": "2026-04-16T09:12:36.386948+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}