Arbitrary File Write Vulnerability in Weblate Command-Line Client
CVE-2026-23535

8.1HIGH

Key Information:

Vendor

Weblateorg

Status
Wlc
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23535?

The Weblate command-line client, known as wlc, is vulnerable to an arbitrary file write issue that could allow a malicious server to dictate file locations for download. This flaw existed in versions prior to 1.17.2 and has been resolved in the updated version. Users are strongly recommended to upgrade to 1.17.2 or later to mitigate this risk and ensure the integrity of their files while using the Weblate REST API.

Affected Version(s)

wlc < 1.17.2

References

https://github.com/WeblateOrg/wlc/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/WeblateOrg/wlc/pull/1128
x_refsource_MISC
https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.