Cross-Site Scripting Vulnerability in Weblate's Command-Line Client
CVE-2026-42150

5.1MEDIUM

Key Information:

Vendor

Weblateorg

Status
Wlc
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42150?

The wlc command-line client for Weblate, prior to its version 2.0.0 release, is susceptible to cross-site scripting (XSS) attacks due to its HTML output format. This vulnerability arises from the improper embedding of API response data into HTML without sufficient escaping, potentially exposing users to malicious scripts when the output is displayed in a web browser. Users are advised to upgrade to version 2.0.0, where this issue has been addressed and patched.

Affected Version(s)

wlc < 2.0.0

References

https://github.com/WeblateOrg/wlc/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/WeblateOrg/wlc/pull/1327
x_refsource_MISC
https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05...
x_refsource_MISC

CVSS V3.1

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.