{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33435", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.436Z", "datePublished": "2026-04-15T18:13:07.568Z", "dateUpdated": "2026-04-15T18:40:27.204Z"}, "containers": {"cna": {"title": "Weblate: Remote code execution during backup restoration", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18549", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18549"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:13:07.568Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects."}], "source": {"advisory": "GHSA-558g-h753-6m33", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:40:18.548374Z", "id": "CVE-2026-33435", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:40:27.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T18:40:18.548374Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:40:21.788Z"}}], "cna": {"title": "Weblate: Remote code execution during backup restoration", "source": {"advisory": "GHSA-558g-h753-6m33", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18549", "name": "https://github.com/WeblateOrg/weblate/pull/18549", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:13:07.568Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33435", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:40:27.204Z", "dateReserved": "2026-03-19T18:45:22.436Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T18:13:07.568Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "64AD3B80-D39E-4EAF-9CF8-B4D3C8A6C58A", "versionEndExcluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects."}], "id": "CVE-2026-33435", "lastModified": "2026-04-21T14:10:08.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:35.277", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/weblate/pull/18549"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-15T22:14:53.762101+00:00", "value": {"mitigation_remediation": ["Apply the official Weblate 5.17 or newer update to eliminate the backup sanitization defect.", "If an immediate upgrade is not possible, limit backup functionality to trusted users only or disable the backup endpoint altogether.", "Before restoring a backup, remove or sanitize any Git or Mercurial configuration files to ensure no malicious code is executed."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The affected product is Weblate, provided by WeblateOrg. Vulnerable versions are all releases older than 5.17. Users running those versions should verify their current build and consider an upgrade.", "description_and_impact": "Weblate's backup functionality in versions before 5.17 fails to sanitize Git and Mercurial configuration files, allowing an attacker to craft a payload that is executed when the backup is restored. This flaw enables remote code execution on the system hosting Weblate, potentially granting full system compromise. The weakness involves path traversal and arbitrary code inclusion, classified under CWEs 23, 434, and 94.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.1, indicating high severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The exploit requires remote access to the project backup endpoint, which is only available to users who have project\u2011creation permissions, making the attack vector feasible for authenticated users within the Weblate installation. Inferred that an attacker could place malicious configuration files in a project repository and trigger RCE during a backup restore performed by a privileged user."}}}}, "created": "2026-04-15T22:15:15.711988+00:00", "updated": "2026-04-16T09:12:34.000830+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}