Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
Published: 2026-05-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in wlc’s print_html function inserts API response data into an HTML document without escaping special characters, allowing an attacker to embed arbitrary script or HTML that will execute when the output is rendered in a browser. This stored cross‑site scripting flaw can lead to client‑side code execution against anyone viewing the generated HTML.

Affected Systems

The vulnerability is limited to WeblateOrg’s wlc command‑line client in any release older than version 2.0.0. Version 2.0.0 and later include a patch that properly escapes API data before embedding it in the HTML output.

Risk and Exploitability

The CVSS score of 5.1 signals moderate severity and the absence of a EPSS value or KEV listing suggests the risk of widespread exploitation is low to moderate. The likely attack vector requires an attacker to supply malicious API data, which would normally be performed via an authenticated API write operation (this requirement is inferred from the fact that the flaw involves API response data). If an attacker gains such write access, the malicious content will be stored and later rendered, resulting in the stored XSS described above.

Generated by OpenCVE AI on May 8, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wlc to version 2.0.0 or later, where API data is properly escaped before being embedded in HTML.
  • If an upgrade cannot be performed immediately, restrict API write permissions or proactively sanitize any data containing script or HTML before storage or rendering.
  • Ensure that any instances of wlc’s print_html output are used only in secure, non‑browser contexts or that an additional escaping layer is applied as a temporary safeguard.

Generated by OpenCVE AI on May 8, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gx2m-mcc2-r4p3 wlc: print_html outputs API data without HTML escaping
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate wlc
CPEs cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*
Vendors & Products Weblate
Weblate wlc

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblateorg
Weblateorg wlc
Vendors & Products Weblateorg
Weblateorg wlc

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
Title wlc: print_html outputs API data without HTML escaping, enabling stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Weblate Wlc
Weblateorg Wlc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:28:38.342Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42150

cve-icon Vulnrichment

Updated: 2026-05-08T14:33:23.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:18.920

Modified: 2026-05-12T14:00:17.217

Link: CVE-2026-42150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T07:00:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')