CVE-2022-23915

HIGH

weblate <4.11.1 - RCE

Title source: llm

Description

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

References (4)

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088

[Patch, Third Party Advisory] https://github.com/WeblateOrg/weblate/pull/7338

[Patch, Third Party Advisory] https://github.com/WeblateOrg/weblate/pull/7337

[Patch, Release Notes, Third Party Advisory] https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1

Scores

CVSS v3 7.2

EPSS 0.0163

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-88

Status published

Products (2)

pypi/Weblate 0 - 4.11.1PyPI

weblate/weblate < 4.11.1

Published Mar 04, 2022

Tracked Since Feb 18, 2026