CVE-2026-33220 MEDIUM

CVE-2026-33220: Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Vendor Weblateorg

Product weblate

Weakness CWE-22 · Path traversal

Published April 15, 2026

Last update April 16, 2026

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

Description

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Key dates

Disclosure timeline

April 15, 2026 CVE published

April 16, 2026 Record updated