CVE-2026-33435HIGH 8.0EPSS p48.6%

CVE-2026-33435CVE-2026-33435

Description

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.6% · 2026-06-19T12:03:05Z
Published2026-04-15
Last modified2026-04-21

Underlying weaknesses· 3

CWE-23CWE-94CWE-434

References

  1. https://github.com/WeblateOrg/weblate/pull/18549
  2. https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33

3

TypeTargetConfidenceTier
WeaknessRelative Path Traversalcwe-230%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34393
CVE
CVE-2026-41654
CVE
CVE-2025-68398
CVE
CVE-2026-45106
CVE
CVE-2026-23535
CVE
CVE-2026-50127
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.