CVE-2026-33435 HIGH

CVE-2026-33435: Weblate: Remote code execution during backup restoration

Vendor Weblateorg

Product weblate

Weakness CWE-23

Published April 15, 2026

Last update April 15, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can limit the scope of the vulnerability by restricting access to the project backup, as it is only accessible to users who can create projects.

Key dates

02Disclosure timeline

April 15, 2026 CVE published

April 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33435 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

CVE-2026-33435: Weblate: Remote code execution during backup restoration

01Description

02Disclosure timeline

03References

04Related CVE