DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23535: Trust Issues: Arbitrary File Write in Weblate CLI (CVE-2026-23535)

#security #cve #cybersecurity

Trust Issues: Arbitrary File Write in Weblate CLI (CVE-2026-23535)

Vulnerability ID: CVE-2026-23535
CVSS Score: 8.1
Published: 2026-01-16

A critical Path Traversal vulnerability in the Weblate command-line client (wlc) allows a malicious or compromised Weblate server to write arbitrary files to the client's machine. By crafting malicious 'slug' identifiers in API responses, an attacker can escape the download directory and overwrite sensitive user files.

TL;DR

The Weblate CLI (wlc) blindly trusted server-provided identifiers when naming downloaded files. A malicious server can return a 'slug' containing directory traversal sequences (../../), allowing it to overwrite files like ~/.ssh/authorized_keys or .bashrc on the developer's machine. Fixed in version 1.17.2 via strict regex sanitization.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (Malicious Server Response)
  • CVSS v3.1: 8.1 (High)
  • Impact: Arbitrary File Write / Potential RCE
  • Exploit Status: PoC Available
  • Patch Status: Fixed in 1.17.2

Affected Systems

  • Weblate CLI (wlc) < 1.17.2
  • Developer Workstations
  • CI/CD Pipelines using wlc
  • Weblate CLI (wlc): < 1.17.2 (Fixed in: 1.17.2)

Code Analysis

Commit: 216e691

Fixed path traversal in project/component slugs

diff --git a/wlc/utils.py b/wlc/utils.py
+ NON_SLUG_RE = re.compile(r"[^a-zA-Z0-9_]")
+ def sanitize_slug(slug: str) -> str:
+    return NON_SLUG_RE.sub("-", slug)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploitation is trivial by mocking an API response with traversal characters in the slug field.

Mitigation Strategies

  • Input Sanitization: Implement strict allowlisting for filenames.
  • Principle of Least Privilege: Run CLI tools in containerized environments.
  • Zero Trust: Verify all data received from upstream APIs.

Remediation Steps:

  1. Upgrade Weblate CLI (wlc) to version 1.17.2 or higher.
  2. Verify the installation using wlc --version.
  3. Review file system permissions for the user running the CLI.

References

Read the full report for CVE-2026-23535 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)