MEDIUM 6.8 PyPI
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
GHSA-mqph-7h49-hqfm · CVE-2026-33220 · PYSEC-2026-153
Published · Modified
Description
Impact
The translation memory API exposed unintended endpoints, which in turn didn't do proper access control.
Patches
Workarounds
The CDN add-on is not enabled by default.
References
Thanks to @spbavarva for reporting this responsibly via GitHub.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33220
- WEB https://github.com/WeblateOrg/weblate/pull/18516
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-153.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes