{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33435/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-33435"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33435","rce","weblate"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, contains a vulnerability (CVE-2026-33435) in versions prior to 5.17. The flaw stems from the project backup functionality, which fails to adequately filter Git and Mercurial configuration files. This oversight can be exploited to achieve remote code execution (RCE) under certain circumstances. The vulnerability was reported and patched in version 5.17. Mitigation steps for unpatched systems involve restricting access to the project backup feature, as it is limited to users with project creation privileges. This vulnerability poses a significant risk, as successful exploitation can lead to complete system compromise, data breaches, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Weblate account with project creation privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious project containing crafted Git or Mercurial configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a project backup.\u003c/li\u003e\n\u003cli\u003eThe backup process fails to properly sanitize the malicious configuration files.\u003c/li\u003e\n\u003cli\u003eThe backup is stored on the server, potentially overwriting existing files.\u003c/li\u003e\n\u003cli\u003eThe Weblate server attempts to process or utilize the tainted configuration files.\u003c/li\u003e\n\u003cli\u003eDue to improper sanitization, the malicious configuration files trigger command execution within the Weblate server\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, gaining control over the Weblate server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33435 can lead to remote code execution on the Weblate server. The impact includes potential data breaches, unauthorized access to localization projects, and complete compromise of the affected system. While the exact number of affected installations is unknown, organizations using vulnerable versions of Weblate risk significant operational disruption and data loss. Sectors utilizing Weblate for localization, such as software development, content creation, and e-commerce, are at increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weblate to version 5.17 or later to patch CVE-2026-33435.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict access to the project backup feature to only trusted users as recommended in the CVE description.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to project backup downloads, focusing on requests to /admin/backup/ paths. Use the provided Sigma rule to detect unusual file downloads from the webserver.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious file uploads of git configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:16:35Z","date_published":"2026-04-15T19:16:35Z","id":"/briefs/2026-04-weblate-rce/","summary":"Weblate versions before 5.17 are susceptible to remote code execution due to unfiltered Git and Mercurial configuration files in project backups, potentially allowing attackers to execute arbitrary code under specific conditions.","title":"Weblate Project Backup Vulnerability Leads to Potential Remote Code Execution (CVE-2026-33435)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33435","version":"https://jsonfeed.org/version/1.1"}