Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
Published: 2026-01-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Upgrade to 1.17.2
AI Analysis

Impact

The wlc command‑line client for Weblate is vulnerable to a path‑traversal flaw in its multi‑translation download feature. Unsanitized API slugs supplied by the server cause the client to write files to any location specified in the response. The weakness is documented as CWE‑22 and results in arbitrary file write on the local file system.

Affected Systems

The affected product is WeblateOrg's wlc client. All releases prior to version 1.17.2 are vulnerable. The fix is delivered in release 1.17.2 and later. Any installation that uses the multi‑translation download capability to communicate with a Weblate server is susceptible until the client is updated.

Risk and Exploitability

The base CVSS score is 8.1, indicating a high‑severity flaw that can be exercised during normal client operation. The EPSS score is less than 1 %, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a server that sends a crafted API response instructing the client to write to an arbitrary path; the client must have write permission to that path. If the client runs with elevated privileges, overwriting executable or configuration files could potentially lead to broader compromise.

Generated by OpenCVE AI on April 18, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to wlc version 1.17.2 or later, which contains the security fix.
  • If an upgrade is not immediately possible, disable the multi‑translation download feature or restrict the client’s write paths using system controls such as chroot, AppArmor, or file‑system permissions.
  • Ensure the client connects only to trusted Weblate servers by enforcing TLS verification and validating server certificates, and avoid using self‑signed or untrusted servers.

Generated by OpenCVE AI on April 18, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmwx-79f6-67jg Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command
History

Wed, 18 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate wlc
CPEs cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*
Vendors & Products Weblate
Weblate wlc

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Weblateorg
Weblateorg wlc
Vendors & Products Weblateorg
Weblateorg wlc

Fri, 16 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
Title wlc Path traversal: Unsanitized API slugs in download command
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Weblate Wlc
Weblateorg Wlc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T19:21:22.629Z

Reserved: 2026-01-13T18:22:43.982Z

Link: CVE-2026-23535

cve-icon Vulnrichment

Updated: 2026-01-16T19:21:13.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T19:16:19.407

Modified: 2026-02-18T16:26:25.577

Link: CVE-2026-23535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses