Executive Summary

CVE-2026-33435 is a high-severity remote code execution vulnerability in Weblate versions prior to 5.17. It occurs because the project backup restoration process does not properly filter Git and Mercurial configuration files.

This improper filtering allows an attacker, under certain conditions, to execute arbitrary code remotely by exploiting weaknesses such as relative path traversal, code injection, and unrestricted upload of dangerous file types.

Specifically, the vulnerability arises from the backup process using external input to construct file paths without adequate sanitization, constructing code segments from untrusted input, and processing dangerous file types automatically.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution, allowing an attacker with project creation privileges to run arbitrary code on the Weblate server.

The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS scores for these metrics.

Because the attack vector is network-based and requires high privileges but no user interaction, an attacker who can create projects and access backups can exploit this vulnerability remotely.

Mitigation involves restricting access to project backups to trusted users and updating Weblate to version 5.17 or later where the issue is fixed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper filtering of Git and Mercurial configuration files during project backup restoration in Weblate versions prior to 5.17. Detection would focus on identifying if your Weblate instance is running a vulnerable version and if project backups contain unfiltered VCS configuration files such as .git/config, .git/config.worktree, .hg/hgrc, or files under .git/hooks/.

To detect the vulnerability on your system, you can:

• Check the Weblate version to confirm if it is prior to 5.17.
• Inspect project backup archives for the presence of sensitive VCS configuration files that should be filtered.
• Look for suspicious or unexpected files in the backup directories, especially Git hooks or Mercurial config files.

Suggested commands to assist detection might include:

• Use a command like `weblate --version` or check the Weblate UI to determine the installed version.
• Extract and list files from a backup archive to check for unsafe files, for example: `tar -tf backup.tar | grep -E '\.git/config|\.git/hooks/|\.hg/hgrc'`
• Search the backup directory for suspicious files: `find /path/to/backup -name 'config' -o -path '*/.git/hooks/*' -o -name 'hgrc'`

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Weblate to version 5.17 or later, where the vulnerability has been fixed by sanitizing the project backup restore process to exclude dangerous VCS configuration files.

If immediate upgrading is not possible, you should restrict access to the project backup functionality to only trusted users who have project creation privileges, as the vulnerability can only be exploited by users with such privileges.

Additional mitigation steps include:

• Limit network access to the Weblate backup feature to reduce exposure.
• Manually inspect and clean existing backups to remove any unsafe VCS configuration files before restoration.
• Apply the patch described in the fix (patch #18549) if upgrading is delayed, which skips restoring sensitive VCS files and reinitializes repository configuration safely.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-33435 is a high-severity remote code execution vulnerability that allows an attacker with project creation privileges to execute arbitrary code remotely by exploiting improper filtering of Git and Mercurial configuration files during project backup restoration.

Such a vulnerability could impact compliance with common standards and regulations like GDPR and HIPAA because it threatens the confidentiality, integrity, and availability of data. Unauthorized remote code execution could lead to data breaches, unauthorized data access, or manipulation, which are violations of these regulations' requirements for protecting sensitive information.

Mitigation involves restricting access to project backups to authorized users only and updating to Weblate version 5.17 or later, which fixes the issue by sanitizing repository data during restoration and preventing restoration of dangerous VCS configuration files.

Useful 0 Not Useful 0