Weblate: JavaScript localization CDN add-on allows arbitrary local file read...

6.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Description

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.

Basic Information

ID CVE-2026-33220

Source GitHub_M

Published Apr 15, 2026 at 18:03

Affected Product

Vendor WeblateOrg

Product weblate

Version < 5.17

Affected Versions WeblateOrg weblate < 5.17

CWE Classification

CWE-22 CWE-200

References

{
    "lastseen": "",
    "description": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.",
    "published": "2026-04-15T18:03:40.728Z",
    "modified": "2026-04-15T18:03:40.728Z",
    "type": "cve",
    "title": "Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository",
    "source": "GitHub_M",
    "references": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mqph-7h49-hqfm\nhttps://github.com/WeblateOrg/weblate/pull/18516",
    "id": "CVE-2026-33220",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "WeblateOrg weblate < 5.17",
    "sourceHref": "",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "weblate",
    "version": "< 5.17",
    "vendor": "WeblateOrg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository_CVE-2026-33220