CVE-2022-23915
HIGHWeblate < 4.11.1 - Authenticated Remote Code Execution via Argument Injection
Title source: llmDescription
The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088
Patch, Third Party Advisory x_refsource_misc
https://github.com/WeblateOrg/weblate/pull/7338
Patch, Third Party Advisory x_refsource_misc
https://github.com/WeblateOrg/weblate/pull/7337
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1
Scores
CVSS v3
7.2
EPSS
0.0286
EPSS Percentile
84.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (2)
pypi/Weblate
0 - 4.11.1PyPI
weblate/weblate
< 4.11.1
Published
Mar 04, 2022
Tracked Since
Feb 18, 2026