CVE-2022-23915

HIGH

weblate <4.11.1 - RCE

Title source: llm

Description

The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution.

References (4)

[Patch, Third Party Advisory] https://github.com/WeblateOrg/weblate/pull/7337

[Patch, Third Party Advisory] https://github.com/WeblateOrg/weblate/pull/7338

[Patch, Release Notes, Third Party Advisory] https://github.com/WeblateOrg/weblate/releases/tag/weblate-4.11.1

[Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-PYTHON-WEBLATE-2414088

Scores

CVSS v3 7.2

EPSS 0.0163

EPSS Percentile 81.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (2)

weblate/weblate < 4.11.1

pypi/Weblate < 4.11.1PyPI

Timeline

Published Mar 04, 2022

Tracked Since Feb 18, 2026