GHSA-558g-h753-6m33

Source

https://github.com/advisories/GHSA-558g-h753-6m33

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-558g-h753-6m33/GHSA-558g-h753-6m33.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-558g-h753-6m33

Aliases

CVE-2026-33435
PYSEC-2026-154

Published

2026-04-16T20:41:38Z

Modified

2026-05-20T08:11:30.551711611Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Weblate: Remote code execution during backup restoration

Details

Impact

The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

Patches

https://github.com/WeblateOrg/weblate/pull/18549

Workarounds

The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.

References

This issue was reported by ggamno via HackerOne.

Database specific

{
    "github_reviewed_at": "2026-04-16T20:41:38Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-23",
        "CWE-434",
        "CWE-94"
    ],
    "nvd_published_at": "2026-04-15T19:16:35Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / weblate

Package

Name: weblate; View open source insights on deps.dev
Purl: pkg:pypi/weblate

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.17

Affected versions

1.*

1.9

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.10.1

2.11

2.12

2.13

2.13.1

2.14

2.14.1

2.15

2.16

2.17

2.17.1

2.18

2.19

2.19.1

2.20

3.*

3.0

3.0.1

3.1

3.1.1

3.2

3.2.1

3.2.2

3.3

3.4

3.5

3.5.1

3.6

3.6.1

3.7

3.7.1

3.8

3.9

3.9.1

3.10

3.10.1

3.10.2

3.10.3

3.11

3.11.1

3.11.2

3.11.3

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1

4.1.1

4.2

4.2.1

4.2.2

4.3

4.3.1

4.3.2

4.4

4.4.1

4.4.2

4.5

4.5.1

4.5.2

4.5.3

4.6

4.6.1

4.6.2

4.7

4.7.1

4.7.2

4.8

4.8.1

4.9

4.9.1

4.10

4.10.1

4.11

4.11.1

4.11.2

4.12

4.12.1

4.12.2

4.13

4.13.1

4.14

4.14.1

4.14.2

4.15

4.15.1

4.15.2

4.16

4.16.1

4.16.2

4.16.3

4.16.4

4.17

4.18

4.18.1

4.18.2

5.*

5.0

5.0.1

5.0.2

5.1

5.1.1

5.2

5.2.1

5.3

5.3.1

5.4

5.4.1

5.4.2

5.4.3

5.5

5.5.2

5.5.3

5.5.4

5.5.5

5.6

5.6.1

5.6.2

5.7

5.7.1

5.7.2

5.8.1

5.8.2

5.8.3

5.8.4

5.9.1

5.9.2

5.10

5.10.1

5.10.2

5.10.3

5.10.4

5.11

5.11.1

5.11.3

5.11.4

5.12.1

5.12.2

5.13

5.13.1

5.13.2

5.13.3

5.14

5.14.1

5.14.2

5.14.3

5.15

5.15.1

5.15.2

5.16

5.16.1

5.16.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-558g-h753-6m33/GHSA-558g-h753-6m33.json"