{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23535", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.982Z", "datePublished": "2026-01-16T19:08:24.882Z", "dateUpdated": "2026-01-16T19:21:22.629Z"}, "containers": {"cna": {"title": "wlc Path traversal: Unsanitized API slugs in download command", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"}, {"name": "https://github.com/WeblateOrg/wlc/pull/1128", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/pull/1128"}, {"name": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f"}, {"name": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"version": "< 1.17.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:08:24.882Z"}, "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."}], "source": {"advisory": "GHSA-mmwx-79f6-67jg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T19:20:47.706307Z", "id": "CVE-2026-23535", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T19:21:22.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T19:20:47.706307Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T19:21:13.765Z"}}], "cna": {"title": "wlc Path traversal: Unsanitized API slugs in download command", "source": {"advisory": "GHSA-mmwx-79f6-67jg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"status": "affected", "version": "< 1.17.2"}]}], "references": [{"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg", "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/wlc/pull/1128", "name": "https://github.com/WeblateOrg/wlc/pull/1128", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f", "name": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2", "name": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T19:08:24.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23535", "state": "PUBLISHED", "dateUpdated": "2026-01-16T19:21:22.629Z", "dateReserved": "2026-01-13T18:22:43.982Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T19:08:24.882Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE9E9EAB-FA37-452C-8726-AC707E423550", "versionEndExcluding": "1.17.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."}], "id": "CVE-2026-23535", "lastModified": "2026-02-18T16:26:25.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-16T19:16:19.407", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/wlc/pull/1128"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory", "Mitigation"], "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:02:34.650822+00:00", "value": {"mitigation_remediation": ["Upgrade to wlc version\u202f1.17.2 or later, which contains the security fix.", "If an upgrade is not immediately possible, disable the multi\u2011translation download feature or restrict the client\u2019s write paths using system controls such as chroot, AppArmor, or file\u2011system permissions.", "Ensure the client connects only to trusted Weblate servers by enforcing TLS verification and validating server certificates, and avoid using self\u2011signed or untrusted servers."], "summary": {"action": "Upgrade to 1.17.2", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The affected product is WeblateOrg's wlc client. All releases prior to version\u202f1.17.2 are vulnerable. The fix is delivered in release\u202f1.17.2 and later. Any installation that uses the multi\u2011translation download capability to communicate with a Weblate server is susceptible until the client is updated.", "description_and_impact": "The wlc command\u2011line client for Weblate is vulnerable to a path\u2011traversal flaw in its multi\u2011translation download feature. Unsanitized API slugs supplied by the server cause the client to write files to any location specified in the response. The weakness is documented as CWE\u201122 and results in arbitrary file write on the local file system.", "risk_and_exploitability": "The base CVSS score is 8.1, indicating a high\u2011severity flaw that can be exercised during normal client operation. The EPSS score is less than\u202f1\u202f%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a server that sends a crafted API response instructing the client to write to an arbitrary path; the client must have write permission to that path. If the client runs with elevated privileges, overwriting executable or configuration files could potentially lead to broader compromise."}}}}, "created": "2026-01-19T09:20:36.168298+00:00", "updated": "2026-04-18T16:15:04.594220+00:00", "vendors": ["weblateorg", "weblateorg$PRODUCT$wlc"]}