Weblate Vulnerability Allows RCE via Project Backups
The National Vulnerability Database has flagged a critical flaw in Weblate, a popular web-based localization tool. Versions prior to 5.17 are susceptible to remote code execution (RCE) due to improper filtering of Git and Mercurial configuration files within project backups. While the issue is patched in version 5.17, organizations unable to update immediately can mitigate the risk by restricting access to project backups, as only users with project creation privileges can exploit this vulnerability.
The CVSS score for this vulnerability is a HIGH 8, with a vector indicating network accessibility, high privileges required, but a complex attack path. The Common Weakness Enumeration (CWE) lists this as CWE-23 (Path Traversal), CWE-94 (Code Injection), and CWE-434 (Unrestricted Upload of File with Dangerous Type), highlighting the multifaceted risk it presents.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Web Application Exploitation Attempt — CVE-2026-33435
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33435 | RCE | Weblate versions prior to 5.17 |
| CVE-2026-33435 | RCE | Weblate project backup functionality |
| CVE-2026-33435 | RCE | Unfiltered Git and Mercurial configuration files in project backup |
Related Posts
Composer Command Injection: Malicious Repositories are a New Vector
CVE-2026-40261 — Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase()...
CVE-2026-40186 — Non-Default Configurations Where Option Or Textarea Are Incl Cross-Site Scripting (XSS)
CVE-2026-40186 — ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package...
Critical Dgraph Flaw Leaks Admin Tokens, Bypassing Authentication
CVE-2026-40173 — Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is...