HIGH 8.0 PyPI
Weblate: Remote code execution during backup restoration
GHSA-558g-h753-6m33 · CVE-2026-33435 · PYSEC-2026-154
Published · Modified
Description
Impact
The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.
Patches
Workarounds
The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.
References
This issue was reported by ggamno via HackerOne.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33435
- WEB https://github.com/WeblateOrg/weblate/pull/18549
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-154.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes