Weblate
CVE-2022-23915
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
AnalysisAI
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-88. The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution. Affected products include: Weblate. Version information: before 4.11.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter o
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limi
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded f
Weblate versions prior to 5.15.2 expose screenshot images through the web server without authentication controls, enabli
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpo
Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS
Weblate is a web based localization tool. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. Pub
Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassin
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email addres
Weblate is a web based localization tool. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable,
Weblate is a copyleft software web-based continuous localization system. Rated medium severity (CVSS 5.4), this vulnerab
Share
External POC / Exploit Code
Leaving vuln.today