CVE-2026-33440: Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
The ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn’t restrict possible redirects.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-33440 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →