Plattform
python
Komponente
wlc
Behoben in
1.17.3
1.17.2
CVE-2026-23535 describes a Path Traversal vulnerability discovered in the Weblate CLI client. This vulnerability allows a malicious server to instruct the client to write files to arbitrary locations on the system, potentially leading to unauthorized code execution or data modification. The vulnerability affects versions of Weblate CLI client up to and including 1.9, and a fix is available in version 1.17.2.
The primary impact of CVE-2026-23535 stems from the ability of a malicious server to dictate where files are written by the Weblate CLI client. An attacker could leverage this to overwrite critical system files, inject malicious code, or exfiltrate sensitive data. This could lead to complete system compromise, data breaches, and denial of service. The vulnerability's reliance on a crafted server introduces a dependency on the attacker controlling a network endpoint, but the potential impact is significant if that control is established.
This vulnerability was reported by [wh1zee] via HackerOne. As of the public disclosure date (2026-01-16), there are no publicly known proof-of-concept exploits. The vulnerability's exploitation probability is considered medium, given the requirement for attacker control over a server and the relatively specific context of Weblate CLI client usage. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using the Weblate CLI client, particularly those who rely on automated workflows involving file downloads from external or untrusted sources, are at risk. Shared hosting environments where multiple users share the same system and Weblate CLI client installation are also particularly vulnerable.
• python / generic web:
# Check for wlc version
wlc --version• python / generic web:
# Monitor for unusual file creation patterns in the user's home directory or other writable locations.
find /home/$USER -type f -mmin -60 -print• python / generic web:
# Inspect network traffic for suspicious file download requests.
# (Requires network monitoring tools like tcpdump or Wireshark)disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23535 is to upgrade the Weblate CLI client to version 1.17.2 or later, which includes the fix. As a temporary workaround, avoid using the wlc download command with servers that are not fully trusted. This prevents the client from receiving instructions to write files to arbitrary locations. Regularly review and audit the configuration of your Weblate environment to ensure that only trusted servers are used. Consider implementing network segmentation to limit the potential blast radius of a successful exploit.
Actualice wlc a la versión 1.17.2 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura en ubicaciones arbitrarias. Puede actualizar usando el gestor de paquetes pip: `pip install -U wlc`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23535 is a Path Traversal vulnerability in the Weblate CLI client that allows a malicious server to write files to arbitrary locations.
You are affected if you are using Weblate CLI client versions 1.9 or earlier.
Upgrade to version 1.17.2 or later. As a temporary workaround, avoid using wlc download with untrusted servers.
There is currently no indication of active exploitation in the wild.
Refer to the Weblate GitHub pull request: https://github.com/WeblateOrg/wlc/pull/1128
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.