CVE-2026-33435: Weblate: Remote code execution during backup restoration

April 16, 2026

The project backup didn’t filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

References

github.com/WeblateOrg/weblate
github.com/WeblateOrg/weblate/pull/18549
github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33
github.com/advisories/GHSA-558g-h753-6m33
nvd.nist.gov/vuln/detail/CVE-2026-33435

Code Behaviors & Features

Detect and mitigate CVE-2026-33435 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →