Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
AnalysisAI
Cross-site scripting in wlc command-line client versions prior to 2.0.0 allows authenticated users with high privileges to inject malicious HTML/JavaScript into API responses, which are then embedded unescaped in HTML output. When the HTML output is rendered in a browser, this enables XSS attacks. The vulnerability requires explicit use of the HTML output format (non-default), user interaction to open/view the HTML file, and elevated API credentials, limiting real-world risk despite the network vector.
Technical ContextAI
wlc is a Python command-line client for Weblate's REST API that formats API responses in multiple output formats including HTML. The vulnerability exists in the print_html() method in wlc/main.py, which directly interpolates API response data (keys and values) into HTML table markup using Python f-strings without HTML entity escaping. The root cause is improper input validation/output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation). The fix adds an html.escape() wrapper via a new format_html_value() classmethod that safely encodes all user-controllable data before HTML rendering, following the OWASP principle of output encoding. Affected versions are distributed via pip package wlc with versions < 2.0.0 vulnerable.
RemediationAI
Upgrade wlc to version 2.0.0 or later, available via pip: 'pip install --upgrade wlc>=2.0.0'. The vendor-released patch introduces html.escape() in the format_html_value() method to sanitize all HTML output. For environments unable to upgrade immediately, disable or restrict HTML output format usage (the vulnerable code path is opt-in via command-line flag '--format=html'), and ensure API credentials are protected since the vulnerability requires high privileges (API token/authentication). Additionally, validate that any HTML files generated by wlc are not served over HTTP without Content-Security-Policy headers, and educate users to view wlc output as plain text rather than rendering HTML in browsers when possible. Full advisory and patch: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3, PR https://github.com/WeblateOrg/wlc/pull/1327.
The wlc Weblate command-line client prior to version 1.17.2 is vulnerable to arbitrary file write attacks through path t
Wlc versions prior to 1.17.0 fail to restrict unscoped API keys, allowing them to be transmitted to unintended Weblate s
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28501