| Name | CVE-2026-23535 |
| Description | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1125755 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| wlc (PTS) | bullseye | 1.2-1 | vulnerable |
| bookworm | 1.13-2 | vulnerable |
| trixie | 1.15-1 | vulnerable |
| forky, sid | 1.16.1-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| wlc | source | (unstable) | (unfixed) | | | 1125755 |
Notes
[trixie] - wlc <no-dsa> (Minor issue)
[bookworm] - wlc <no-dsa> (Minor issue)
[bullseye] - wlc <no-dsa> (Minor issue)
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg
https://github.com/WeblateOrg/wlc/pull/1128
Fixed by: https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f (1.17.2)