{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33440", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.438Z", "datePublished": "2026-04-15T18:15:12.560Z", "dateUpdated": "2026-04-15T18:49:25.077Z"}, "containers": {"cna": {"title": "Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m"}, {"name": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:15:12.560Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17."}], "source": {"advisory": "GHSA-5fhx-9jwj-867m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:49:07.967345Z", "id": "CVE-2026-33440", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:49:25.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:49:07.967345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:49:12.319Z"}}], "cna": {"title": "Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads", "source": {"advisory": "GHSA-5fhx-9jwj-867m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6", "name": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T18:15:12.560Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33440", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:49:25.077Z", "dateReserved": "2026-03-19T18:45:22.438Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T18:15:12.560Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17."}], "id": "CVE-2026-33440", "lastModified": "2026-04-15T19:16:35.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T19:16:35.447", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-15T22:14:38.556515+00:00", "value": {"mitigation_remediation": ["Upgrade Weblate to version 5.17 or later to apply the official fix for the SSRF bypass.", "If an upgrade is not immediately possible, configure the ALLOWED_ASSET_DOMAINS setting to include only trusted domains or IP ranges, thereby limiting the scope of asset uploads.", "Consider disabling or strictly validating redirects in the asset upload processing to prevent future bypasses of domain restrictions."], "summary": {"action": "Update to 5.17", "impact": "Server\u2011Side Request Forgery via redirect bypass for authenticated users"}, "threat_synthesis": {"affected_systems": "The affected product is Weblate developed by WeblateOrg. All versions of Weblate prior to 5.17 are vulnerable. Versions 5.17 and later contain the fix that correctly enforces the asset domain restriction for all redirects.", "description_and_impact": "Weblate versions before 5.17 allow an authenticated user to trigger a Server\u2011Side Request Forgery by uploading a screenshot URL that redirects. The ALLOWED_ASSET_DOMAINS setting only applies to the initial request, so any subsequent redirects can reach arbitrary hosts. This flaw can be used to access internal network resources, read sensitive data, or potentially reach services that do not expose themselves externally. The vulnerability is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score for this issue is 5.0, reflecting moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated within Weblate, but once authenticated can inject arbitrary URLs that will be processed by the server. Because no external exploit is known and the impact is limited to internal resources, the overall risk is moderate, but the flaw remains significant for sites exposed to external contributors who can upload screenshots."}}}}, "created": "2026-04-15T22:15:15.711760+00:00", "updated": "2026-04-16T09:12:32.727529+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}