What is CVE-2026-33435?

CVE-2026-33435 is a high-severity vulnerability in Weblateorg Weblate, classified under Relative Path Traversal. CVSS score: 8.1/10. Published 2026-04-15.

How severe is CVE-2026-33435?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Weblateorg Weblate

CVE-2026-33435

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in…

EPSS: 0.001 (29.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Weblateorg Weblate — versions < 5.17

Weakness classification (CWE)

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33 (x_refsource_CONFIRM)
https://github.com/WeblateOrg/weblate/pull/18549 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33435?: CVE-2026-33435 is a high-severity vulnerability in Weblateorg Weblate, classified under Relative Path Traversal. CVSS score: 8.1/10. Published 2026-04-15.
How severe is CVE-2026-33435?: High severity. CVSS v3 base score is 8.1 out of 10.