Platform
python
Component
wlc
Fixed in
1.17.3
1.17.2
CVE-2026-23535 describes a Path Traversal vulnerability discovered in the Weblate CLI client. This vulnerability allows a malicious server to instruct the client to write files to arbitrary locations on the system, potentially leading to unauthorized code execution or data modification. The vulnerability affects versions of Weblate CLI client up to and including 1.9, and a fix is available in version 1.17.2.
The core impact of CVE-2026-23535 lies in its ability to bypass file system access controls. An attacker controlling a malicious server can exploit this vulnerability to write arbitrary files to the system where the Weblate CLI client is running. This could involve overwriting critical configuration files, injecting malicious scripts, or even gaining remote code execution if the written files are subsequently executed. The blast radius is dependent on the permissions of the user running the Weblate CLI client; a user with elevated privileges would grant the attacker significantly more control over the system. This vulnerability shares similarities with other Path Traversal exploits where attackers leverage predictable file system structures to access unauthorized resources.
CVE-2026-23535 was reported to Weblate via HackerOne by [wh1zee] and publicly disclosed on 2026-01-16. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely low given the lack of public exploits and the requirement for a trusted server to be compromised.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23535 is to upgrade the Weblate CLI client to version 1.17.2 or later, which includes the necessary fix. As a temporary workaround, avoid using the wlc download command with servers that are not fully trusted. This prevents the client from receiving instructions that could lead to arbitrary file writes. Consider implementing input validation on the server-side to prevent the construction of malicious file paths. After upgrading, verify the fix by attempting a wlc download operation from a trusted server and confirming that files are written to the expected location.
Actualice wlc a la versión 1.17.2 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura en ubicaciones arbitrarias. Puede actualizar usando el gestor de paquetes pip: `pip install -U wlc`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23535 is a Path Traversal vulnerability in the Weblate CLI client that allows a malicious server to write files to arbitrary locations.
You are affected if you are using Weblate CLI client versions 1.9 or earlier.
Upgrade to version 1.17.2 or later. As a temporary workaround, avoid using wlc download with untrusted servers.
There is currently no indication of active exploitation in the wild.
Refer to the Weblate GitHub pull request: https://github.com/WeblateOrg/wlc/pull/1128
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.