CVE-2026-23535

High

Published: 16 January 2026

Published

16 January 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 2.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23535 is a high-severity Path Traversal (CWE-22) vulnerability in Weblate Wlc. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal by requiring validation of untrusted file paths received from the server before writing to the local filesystem.

SI-2 Flaw Remediation good match

prevent

Addresses the root cause by requiring timely identification, reporting, and patching of the specific flaw fixed in wlc 1.17.2.

AC-6 Least Privilege partial match

prevent

Limits damage from arbitrary file writes by enforcing least privilege on the user or process running the wlc client, restricting access to critical local paths.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Arbitrary file write via malicious server response in download feature directly enables transfer and placement of attacker-controlled files on victim filesystem.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

Deeper analysisAI

CVE-2026-23535 is a path traversal vulnerability (CWE-22) in wlc, the command-line client for Weblate that interacts with its REST API. Versions prior to 1.17.2 are affected, where the multi-translation download feature can be tricked into writing files to arbitrary locations on the local filesystem when processing responses from a crafted server. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to potential for complete confidentiality, integrity, and availability impacts with a changed scope.

An attacker can exploit this by controlling a malicious Weblate server to which a victim authenticates with low privileges (PR:L) and initiates a multi-translation download. This requires network access (AV:N), high attack complexity (AC:H), and user interaction (UI:R), such as running the wlc command. Successful exploitation allows arbitrary file writes on the victim's local system, potentially leading to full compromise through overwrite of critical files, execution of malicious code, or data exfiltration.

The vulnerability is fixed in wlc version 1.17.2, as detailed in the project's security advisory (GHSA-mmwx-79f6-67jg), release notes, associated pull request, and commit. Security practitioners should advise users to upgrade immediately to the patched version to mitigate risks.