CVE-2026-23535

NameCVE-2026-23535
Descriptionwlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1125755

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wlc (PTS)bullseye1.2-1vulnerable
bookworm1.13-2vulnerable
trixie1.15-1vulnerable
forky, sid1.16.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wlcsource(unstable)(unfixed)1125755

Notes

https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
https://github.com/WeblateOrg/wlc/pull/1128
Fixed by: https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f (1.17.2)
Search for package or bug name: Reporting problems