CVE-2026-42150 PUBLISHED

wlc: print_html outputs API data without HTML escaping, enabling stored XSS

Assigner: GitHub_M
Reserved: 24.04.2026 Published: 08.05.2026 Updated: 08.05.2026

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 5.1

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	WeblateOrg
Product	wlc
Versions	Version < 2.0.0 is affected

References

https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3
https://github.com/WeblateOrg/wlc/pull/1327
https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469
https://github.com/WeblateOrg/wlc/releases/tag/2.0.0

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE