HIGH 8.0
PYSEC-2026-2053
Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command
Details
### Impact Multi-translation download could write to an arbitrary location when instructed by a crafted server.
### Patches * https://github.com/WeblateOrg/wlc/pull/1128
### Workarounds Do not use `wlc download` with untrusted servers.
### References This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-23535 [ADVISORY]
- https://github.com/WeblateOrg/wlc/pull/1128 [WEB]
- https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f [WEB]
- https://github.com/WeblateOrg/wlc [PACKAGE]
- https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 [WEB]
- https://pypi.org/project/wlc [PACKAGE]
- https://github.com/advisories/GHSA-mmwx-79f6-67jg [ADVISORY]