CVE-2026-23535 is a path traversal vulnerability classified under CWE-22 affecting the Weblate command-line client (wlc) prior to version 1.17.2. Weblate is a popular open-source platform for continuous localization, and wlc is its CLI client that interacts with Weblate's REST API to facilitate translation downloads. The vulnerability arises in the multi-translation download feature, where the client improperly limits the pathname of files it writes to disk. Specifically, a malicious or compromised Weblate server can craft responses that cause wlc to write files outside the intended directory, potentially anywhere on the filesystem. This arbitrary file write can lead to overwriting critical system or application files, insertion of malicious code, or disruption of system operations. Exploitation requires network-level access to a Weblate server and user interaction to initiate the multi-translation download. The CVSS 3.1 vector indicates network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), and required user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and fixed in version 1.17.2. Organizations using wlc should consider this a critical threat due to the potential for remote arbitrary file writes leading to code execution or data compromise.

For European organizations, this vulnerability poses significant risks, especially those relying on Weblate and wlc for localization workflows. The arbitrary file write capability can lead to unauthorized modification or deletion of critical files, potentially resulting in system compromise, data breaches, or service disruption. Confidentiality is at risk if sensitive files are overwritten or replaced with malicious payloads. Integrity is compromised as attackers can alter translation files or other system files, undermining trust in localized content. Availability may be affected if critical system files are corrupted, causing application or system failures. Given the network-based attack vector and low privilege requirement, attackers can exploit this vulnerability remotely if users interact with a malicious Weblate server. This is particularly concerning for organizations with distributed teams or those integrating third-party translation services. The lack of known exploits in the wild suggests a window for proactive mitigation before active exploitation occurs.

1. Upgrade the Weblate command-line client (wlc) to version 1.17.2 or later immediately to apply the patch that fixes the path traversal vulnerability. 2. Restrict network access to trusted Weblate servers only, using network segmentation, firewall rules, or VPNs to prevent connections to potentially malicious servers. 3. Implement strict validation and monitoring of file system changes in directories used by wlc to detect unauthorized or suspicious file writes. 4. Educate users about the risks of interacting with untrusted Weblate servers and enforce policies to only use verified translation services. 5. Employ application whitelisting or endpoint protection solutions that can detect or block unauthorized file modifications. 6. Regularly audit and review localization workflows and dependencies to identify and remediate potential security gaps. 7. Consider containerizing or sandboxing the wlc client environment to limit the impact of arbitrary file writes.