GHSA-558G-H753-6M33

Vulnerability from github – Published: 2026-04-16 20:41 – Updated: 2026-04-16 20:41
VLAI?
Summary
Weblate: Remote code execution during backup restoration
Details

Impact

The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

Patches

  • https://github.com/WeblateOrg/weblate/pull/18549

Workarounds

The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.

References

This issue was reported by ggamno via HackerOne.

Severity ?
8.0 (High)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "weblate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-434",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:41:38Z",
    "nvd_published_at": "2026-04-15T19:16:35Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe project backup didn\u0027t filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18549\n\n### Workarounds\nThe project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.\n\n### References\nThis issue was reported by [ggamno](https://hackerone.com/ggamno) via HackerOne.",
  "id": "GHSA-558g-h753-6m33",
  "modified": "2026-04-16T20:41:38Z",
  "published": "2026-04-16T20:41:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/18549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WeblateOrg/weblate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate: Remote code execution during backup restoration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.