Duplicate Advisory: Command injection in Weblate

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-3872-f48p-pxqj. This link is maintained to preserve external references.

Original Description

Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected. The issues were fixed in the 4.11.1 release.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-03-05 00:00:44 UTC
Updated
2026-01-23 22:29:41 UTC
GitHub reviewed
2022-03-14 23:12:25 UTC
NVD published
2022-03-04
Withdrawn
2026-01-23 22:29:40 UTC

EPSS Score

Score Percentile
0.04% 14.51%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip Weblate < 4.11.1 4.11.1

References

cvelogic Threat Intelligence