CVE-2026-23535 HIGH

CVE-2026-23535: wlc Path traversal: Unsanitized API slugs in download command

Vendor Weblateorg
Product wlc
Weakness CWE-22 · Path traversal
Published January 16, 2026
Last update January 16, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Key dates

02Disclosure timeline

January 16, 2026 CVE published
January 16, 2026 Record updated