CVE-2026-33435
Remote Code Execution via Backup Config Files in Weblate
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33435 is a high-severity remote code execution vulnerability in Weblate versions prior to 5.17. It occurs because the project backup restoration process does not properly filter Git and Mercurial configuration files.
This improper filtering allows an attacker, under certain conditions, to execute arbitrary code remotely by exploiting weaknesses such as relative path traversal, code injection, and unrestricted upload of dangerous file types.
Specifically, the vulnerability arises from the backup process using external input to construct file paths without adequate sanitization, constructing code segments from untrusted input, and processing dangerous file types automatically.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution, allowing an attacker with project creation privileges to run arbitrary code on the Weblate server.
The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS scores for these metrics.
Because the attack vector is network-based and requires high privileges but no user interaction, an attacker who can create projects and access backups can exploit this vulnerability remotely.
Mitigation involves restricting access to project backups to trusted users and updating Weblate to version 5.17 or later where the issue is fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper filtering of Git and Mercurial configuration files during project backup restoration in Weblate versions prior to 5.17. Detection would focus on identifying if your Weblate instance is running a vulnerable version and if project backups contain unfiltered VCS configuration files such as .git/config, .git/config.worktree, .hg/hgrc, or files under .git/hooks/.
To detect the vulnerability on your system, you can:
- Check the Weblate version to confirm if it is prior to 5.17.
- Inspect project backup archives for the presence of sensitive VCS configuration files that should be filtered.
- Look for suspicious or unexpected files in the backup directories, especially Git hooks or Mercurial config files.
Suggested commands to assist detection might include:
- Use a command like `weblate --version` or check the Weblate UI to determine the installed version.
- Extract and list files from a backup archive to check for unsafe files, for example: `tar -tf backup.tar | grep -E '\.git/config|\.git/hooks/|\.hg/hgrc'`
- Search the backup directory for suspicious files: `find /path/to/backup -name 'config' -o -path '*/.git/hooks/*' -o -name 'hgrc'`
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Weblate to version 5.17 or later, where the vulnerability has been fixed by sanitizing the project backup restore process to exclude dangerous VCS configuration files.
If immediate upgrading is not possible, you should restrict access to the project backup functionality to only trusted users who have project creation privileges, as the vulnerability can only be exploited by users with such privileges.
Additional mitigation steps include:
- Limit network access to the Weblate backup feature to reduce exposure.
- Manually inspect and clean existing backups to remove any unsafe VCS configuration files before restoration.
- Apply the patch described in the fix (patch #18549) if upgrading is delayed, which skips restoring sensitive VCS files and reinitializes repository configuration safely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33435 is a high-severity remote code execution vulnerability that allows an attacker with project creation privileges to execute arbitrary code remotely by exploiting improper filtering of Git and Mercurial configuration files during project backup restoration.
Such a vulnerability could impact compliance with common standards and regulations like GDPR and HIPAA because it threatens the confidentiality, integrity, and availability of data. Unauthorized remote code execution could lead to data breaches, unauthorized data access, or manipulation, which are violations of these regulations' requirements for protecting sensitive information.
Mitigation involves restricting access to project backups to authorized users only and updating to Weblate version 5.17 or later, which fixes the issue by sanitizing repository data during restoration and preventing restoration of dangerous VCS configuration files.