CVE-2026-23535

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f	Patch
https://github.com/WeblateOrg/wlc/pull/1128	Issue Tracking Patch
https://github.com/WeblateOrg/wlc/releases/tag/1.17.2	Product Release Notes
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg	Patch Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-16 19:16

Updated : 2026-02-18 16:26

NVD link : CVE-2026-23535

Mitre link : CVE-2026-23535

CVE.ORG link : CVE-2026-23535

JSON object : View

Products Affected

weblate

wlc

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-23535", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2026-01-16T19:16:19.407", "references": [{"url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/wlc/pull/1128", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg", "tags": ["Patch", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."}, {"lang": "es", "value": "wlc es un cliente de l\u00ednea de comandos de Weblate que utiliza la API REST de Weblate. Antes de la versi\u00f3n 1.17.2, la descarga de m\u00faltiples traducciones podr\u00eda escribir en una ubicaci\u00f3n arbitraria cuando era instruida por un servidor malicioso. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.17.2."}], "lastModified": "2026-02-18T16:26:25.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE9E9EAB-FA37-452C-8726-AC707E423550", "versionEndExcluding": "1.17.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}