CVE-2026-33220: Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

April 16, 2026 (updated June 8, 2026)

The translation memory API exposed unintended endpoints, which in turn didn’t do proper access control.

References

github.com/WeblateOrg/weblate/pull/18516
github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm
github.com/advisories/GHSA-mqph-7h49-hqfm
github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-153.yaml
nvd.nist.gov/vuln/detail/CVE-2026-33220

Code Behaviors & Features

Detect and mitigate CVE-2026-33220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →