Wlc
CVE-2026-23535
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
AnalysisAI
The wlc Weblate command-line client prior to version 1.17.2 is vulnerable to arbitrary file write attacks through path traversal when downloading multi-translations from a malicious or compromised server. An authenticated attacker can exploit this vulnerability by crafting a specially designed server response to write files to arbitrary locations on the victim's system, potentially compromising system integrity. This vulnerability affects wlc versions before 1.17.2 and is fixed in the patched version.
Technical ContextAI
Classified as CWE-22 (Path Traversal). Affects Wlc. wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 1.17.2.. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.
Wlc versions prior to 1.17.0 fail to restrict unscoped API keys, allowing them to be transmitted to unintended Weblate s
Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mmwx-79f6-67jg