Skip to main content

wlc (Weblate CLI) CVE-2026-42150

| EUVDEUVD-2026-28501 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 GitHub_M
5.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
May 08, 2026 - 05:01 EUVD
Source Code Evidence Fetched
May 08, 2026 - 04:35 vuln.today
Analysis Generated
May 08, 2026 - 04:35 vuln.today
CVE Published
May 08, 2026 - 03:23 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.

AnalysisAI

Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges to inject malicious HTML/JavaScript into API responses, which are then embedded unescaped in HTML output. When the HTML output is rendered in a browser, this enables XSS attacks. The vulnerability requires explicit use of the HTML output format (non-default), user interaction to open/view the HTML file, and elevated API credentials, limiting real-world risk despite the network vector.

Technical ContextAI

wlc is a Python command-line client for Weblate's REST API that formats API responses in multiple output formats including HTML. The vulnerability exists in the print_html() method in wlc/main.py, which directly interpolates API response data (keys and values) into HTML table markup using Python f-strings without HTML entity escaping. The root cause is improper input validation/output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation). The fix adds an html.escape() wrapper via a new format_html_value() classmethod that safely encodes all user-controllable data before HTML rendering, following the OWASP principle of output encoding. Affected versions are distributed via pip package wlc with versions < 2.0.0 vulnerable.

RemediationAI

Upgrade wlc to version 2.0.0 or later, available via pip: 'pip install --upgrade wlc>=2.0.0'. The vendor-released patch introduces html.escape() in the format_html_value() method to sanitize all HTML output. For environments unable to upgrade immediately, disable or restrict HTML output format usage (the vulnerable code path is opt-in via command-line flag '--format=html'), and ensure API credentials are protected since the vulnerability requires high privileges (API token/authentication). Additionally, validate that any HTML files generated by wlc are not served over HTTP without Content-Security-Policy headers, and educate users to view wlc output as plain text rather than rendering HTML in browsers when possible. Full advisory and patch: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3, PR https://github.com/WeblateOrg/wlc/pull/1327.

Share

CVE-2026-42150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy