CVE-2026-33440

MEDIUM

Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads

Title source: cna

Description

Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.

References (2)

[X_Refsource_Confirm] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m

[X_Refsource_Misc] https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6

View Writeup ZIP pw:eip

Scores

CVSS v3 5.0

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Details

CWE

CWE-918

Status published

Products (3)

pypi/weblate 0 - 5.17PyPI

weblate/weblate < 5.17

WeblateOrg/weblate < 5.17

Published Apr 15, 2026

Tracked Since Apr 16, 2026