Weblate is vulnerable to command injection. The vulnerability exists in _clone
and get_remote_branch
functions in mercurial.py
and git.py
respectively because some arguments are not sanitize which allows an attacker to inject and execute arbitrary commands.