GHSA-558g-h753-6m33HighCVSS 8.0
Weblate: Remote code execution during backup restoration
🔗 CVE IDs covered (1)
📋 Description
Impact
The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.
Patches
- https://github.com/WeblateOrg/weblate/pull/18549
Workarounds
The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.
References
This issue was reported by ggamno via HackerOne.
🎯 Affected products1
- pip/weblate:< 5.17
🔗 References (5)
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33
- https://nvd.nist.gov/vuln/detail/CVE-2026-33435
- https://github.com/WeblateOrg/weblate/pull/18549
- https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-154.yaml
- https://github.com/advisories/GHSA-558g-h753-6m33