logo

Database

Lack of data validation - Path Traversal In wlc

Description

Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command

Impact

Multi-translation download could write to an arbitrary location when instructed by a crafted server.

Patches

Workarounds

Do not use wlc download with untrusted servers.

References

This issue was reported to us by wh1zee via HackerOne.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-235352. NVD-2026-235353. OSV-2026-235354. GHSA-mmwx-79f6-67jg

References

1. https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg2. https://github.com/WeblateOrg/wlc/pull/11283. https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f4. https://github.com/WeblateOrg/wlc/releases/tag/1.17.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-VNO4D – Vulnerability