{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/weblate/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34393"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["weblate","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, contains an improper privilege management vulnerability (CVE-2026-34393) affecting versions prior to 5.17. The vulnerability lies in the user patching API endpoint, which doesn\u0026rsquo;t adequately restrict the scope of edits allowed. An attacker with low privileges could potentially exploit this flaw to modify data or settings beyond their authorized permissions. This issue was reported and patched in Weblate version 5.17. Successful exploitation can lead to data integrity issues, unauthorized access to sensitive information, and potentially, complete compromise of the Weblate instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Weblate with a low-privileged user account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the user patching API endpoint (e.g., \u003ccode\u003e/api/users/\u0026lt;user_id\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious API request to modify attributes of a different user account, potentially an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the request to the vulnerable API endpoint, exploiting the lack of proper scope validation.\u003c/li\u003e\n\u003cli\u003eThe Weblate server processes the request without correctly verifying the attacker\u0026rsquo;s authorization to modify the target user\u0026rsquo;s attributes.\u003c/li\u003e\n\u003cli\u003eThe target user\u0026rsquo;s attributes are modified according to the attacker\u0026rsquo;s request, potentially elevating the attacker\u0026rsquo;s privileges or compromising the target user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data or perform unauthorized actions within the Weblate system.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access by creating new admin accounts or backdoors within the Weblate system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34393 can lead to significant data breaches, unauthorized modifications, and complete compromise of the Weblate instance. An attacker could gain administrative access, modify translations, and potentially inject malicious content into localized software. The number of affected installations is currently unknown, but any Weblate instance running a version prior to 5.17 is vulnerable. Organizations that rely on Weblate for their localization workflows are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Weblate to version 5.17 or later to patch CVE-2026-34393.\u003c/li\u003e\n\u003cli\u003eMonitor Weblate\u0026rsquo;s web server logs for suspicious API requests targeting the user patching endpoint (\u003ccode\u003e/api/users/\u0026lt;user_id\u0026gt;\u003c/code\u003e) as described in the Attack Chain (use the Sigma rule provided below).\u003c/li\u003e\n\u003cli\u003eReview user account permissions and audit logs for any unexpected privilege escalations.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and authorization checks within the Weblate application to prevent similar vulnerabilities in the future.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-weblate-privilege-escalation/","summary":"Weblate versions prior to 5.17 are vulnerable to improper privilege management due to an API endpoint failing to properly limit the scope of edits, potentially leading to unauthorized modifications.","title":"Weblate Improper Privilege Management via API Endpoint (CVE-2026-34393)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-33435"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33435","rce","weblate"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, contains a vulnerability (CVE-2026-33435) in versions prior to 5.17. The flaw stems from the project backup functionality, which fails to adequately filter Git and Mercurial configuration files. This oversight can be exploited to achieve remote code execution (RCE) under certain circumstances. The vulnerability was reported and patched in version 5.17. Mitigation steps for unpatched systems involve restricting access to the project backup feature, as it is limited to users with project creation privileges. This vulnerability poses a significant risk, as successful exploitation can lead to complete system compromise, data breaches, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a Weblate account with project creation privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious project containing crafted Git or Mercurial configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a project backup.\u003c/li\u003e\n\u003cli\u003eThe backup process fails to properly sanitize the malicious configuration files.\u003c/li\u003e\n\u003cli\u003eThe backup is stored on the server, potentially overwriting existing files.\u003c/li\u003e\n\u003cli\u003eThe Weblate server attempts to process or utilize the tainted configuration files.\u003c/li\u003e\n\u003cli\u003eDue to improper sanitization, the malicious configuration files trigger command execution within the Weblate server\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, gaining control over the Weblate server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33435 can lead to remote code execution on the Weblate server. The impact includes potential data breaches, unauthorized access to localization projects, and complete compromise of the affected system. While the exact number of affected installations is unknown, organizations using vulnerable versions of Weblate risk significant operational disruption and data loss. Sectors utilizing Weblate for localization, such as software development, content creation, and e-commerce, are at increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weblate to version 5.17 or later to patch CVE-2026-33435.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict access to the project backup feature to only trusted users as recommended in the CVE description.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to project backup downloads, focusing on requests to /admin/backup/ paths. Use the provided Sigma rule to detect unusual file downloads from the webserver.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious file uploads of git configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:16:35Z","date_published":"2026-04-15T19:16:35Z","id":"/briefs/2026-04-weblate-rce/","summary":"Weblate versions before 5.17 are susceptible to remote code execution due to unfiltered Git and Mercurial configuration files in project backups, potentially allowing attackers to execute arbitrary code under specific conditions.","title":"Weblate Project Backup Vulnerability Leads to Potential Remote Code Execution (CVE-2026-33435)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-34242"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["weblate","path-traversal","zip-archive","cve-2026-34242"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeblate, a web-based localization tool, has a path traversal vulnerability (CVE-2026-34242) affecting versions prior to 5.17. The vulnerability exists within the ZIP download feature, where the application fails to adequately verify downloaded files. This can allow an attacker to craft a malicious ZIP archive containing symbolic links that, when extracted by a user or the application itself, can lead to files outside of the intended repository being accessed. The vulnerability was reported and patched in version 5.17. Exploitation of this vulnerability requires a user to download and extract a maliciously crafted ZIP file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Weblate instance running a version prior to 5.17.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to a translation project, either legitimately (e.g., as a translator) or illegitimately (e.g., via compromised credentials or another vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious ZIP archive containing symbolic links that point to sensitive files or directories outside the intended Weblate repository (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, application configuration files).\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious ZIP archive to the Weblate project, potentially disguised as a legitimate translation file.\u003c/li\u003e\n\u003cli\u003eA user (e.g., an administrator or another translator) downloads the ZIP archive using the ZIP download feature.\u003c/li\u003e\n\u003cli\u003eThe user extracts the ZIP archive on their local machine or, if Weblate automatically processes the ZIP, on the server.\u003c/li\u003e\n\u003cli\u003eThe symbolic links within the extracted archive are resolved, potentially allowing access to sensitive files or directories outside the Weblate repository.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to sensitive information, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability (CVE-2026-34242) can allow an attacker to read arbitrary files on the server where Weblate is installed or on a user\u0026rsquo;s machine if the user downloads and extracts the crafted ZIP archive locally. This could lead to the exposure of sensitive information such as application configuration files, database credentials, or even system-level files, depending on the permissions of the user or the Weblate application. The severity is rated as HIGH with a CVSS v3.1 score of 7.7.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weblate to version 5.17 or later to patch CVE-2026-34242 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on Weblate servers to detect unauthorized file access (reference: Attack Chain - step 7).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect ZIP archive downloads containing suspicious filenames that might indicate path traversal attempts (reference: rules).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading and extracting files from untrusted sources (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T19:16:35Z","date_published":"2026-04-15T19:16:35Z","id":"/briefs/2026-04-weblate-path-traversal/","summary":"Weblate versions before 5.17 are vulnerable to path traversal due to improper verification of downloaded files in the ZIP download feature, potentially allowing attackers to access files outside the intended repository.","title":"Weblate Path Traversal Vulnerability in ZIP Download Feature (CVE-2026-34242)","url":"https://feed.craftedsignal.io/briefs/2026-04-weblate-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Weblate","version":"https://jsonfeed.org/version/1.1"}