CVE-2026-33440 MEDIUM

CVE-2026-33440: Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads

Vendor Weblateorg

Product weblate

Weakness CWE-918 · SSRF

Published April 15, 2026

Last update April 15, 2026

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

Key dates

02Disclosure timeline

April 15, 2026 CVE published

April 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33440

Related vulnerabilities

04Related CVE

CVE-2024-1021 Rebuild HTTP Request readRawText server-side request forgery CVE-2024-13879 Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery CVE-2023-43654 TorchServe Server-Side Request Forgery CVE-2024-10705 Multiple Page Generator Plugin – MPG <= 4.0.5 - Authenticated (Editor+) Server-Side Request Forgery via fileUrl CVE-2026-26150 Microsoft Purview eDiscovery Elevation of Privilege Vulnerability