CVE-2026-23535

Name of the Vulnerable Software and Affected Versions Weblate wlc versions prior to 1.17.2

Description The Weblate command-line client (wlc), which uses Weblate's REST API, is susceptible to an arbitrary file write issue. A crafted server can instruct the multi-translation download functionality to write files to an unintended location. This is due to unsanitized API slugs. The issue allows a malicious or compromised Weblate server to write arbitrary files to the client system. The vulnerability is related to the wlc download command.

Recommendations Versions prior to 1.17.2 should be updated to version 1.17.2. As a workaround, avoid using the wlc download command with untrusted servers.