GHSA-558g-h753-6m33HighCVSS 8.0

Weblate: Remote code execution during backup restoration

Published
April 16, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

Patches

  • https://github.com/WeblateOrg/weblate/pull/18549

Workarounds

The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.

References

This issue was reported by ggamno via HackerOne.

🎯 Affected products1

  • pip/weblate:< 5.17

🔗 References (5)