Name of the Vulnerable Software and Affected Versions:

Weblate versions 0 through 4.11.1

Description:

The issue allows Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users can change the behavior of the application in an unintended way, leading to command execution. Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected.

Recommendations:

For Weblate versions 0 through 4.11.1, update to version 4.11.1 or later to resolve the issue. As a temporary workaround, consider restricting access to instances where untrusted users can create new components to minimize the risk of exploitation.