Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Weblate Backup Exposes Git/Hg Config Files to Remote Code Execution
CVE-2026-33435
GHSA-558g-h753-6m33
GHSA-558g-h753-6m33
Summary
Weblate's project backup feature in older versions had a security flaw that could allow hackers to execute malicious code. This has been fixed in version 5.17. If you can't update right away, limit access to the backup feature to prevent potential harm.
What to do
- Update weblate to version 5.17.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | weblate |
< 5.17 Fix: upgrade to 5.17
|
Original title
Weblate: Remote code execution during backup restoration
Original description
### Impact
The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18549
### Workarounds
The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.
### References
This issue was reported by [ggamno](https://hackerone.com/ggamno) via HackerOne.
The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18549
### Workarounds
The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.
### References
This issue was reported by [ggamno](https://hackerone.com/ggamno) via HackerOne.
nvd CVSS3.1
8.0
Vulnerability type
CWE-23
CWE-94
Code Injection
CWE-434
Unrestricted File Upload
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 15 Apr 2026