CVE-2026-42150 Overview
CVE-2026-42150 is a cross-site scripting (XSS) vulnerability in wlc, the Weblate command-line client that interacts with Weblate's REST API. Versions prior to 2.0.0 embed API response data into HTML output without escaping. When a user renders the generated HTML in a browser, attacker-controlled content from the API response executes as script. The issue is tracked under [CWE-79] and was fixed in wlc version 2.0.0.
Critical Impact
Unescaped API response data in wlc HTML output enables script execution in the rendering browser, potentially exposing user session context and stored credentials.
Affected Products
- Weblate wlc versions prior to 2.0.0
- Weblate wlc command-line client (Python package)
- Tooling and pipelines consuming wlc HTML output in a browser
Discovery Timeline
- 2026-05-08 - CVE-2026-42150 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42150
Vulnerability Analysis
The wlc client supports multiple output formats, including HTML, for rendering Weblate REST API responses. In versions prior to 2.0.0, the HTML output writer in wlc/main.py concatenates API response fields directly into HTML markup. The writer does not apply HTML entity escaping to attacker-influenceable fields such as translation strings, component names, or project metadata returned by the Weblate API.
When the resulting HTML file is opened in a browser, any embedded <script> tags or HTML event handlers execute in the browser's context. Exploitation requires that an attacker can influence content stored in a Weblate instance, that a user with wlc produces HTML output covering that content, and that the user renders the file. The scope change reflects script execution crossing from the file context into the browser security boundary.
Root Cause
The root cause is missing output encoding [CWE-79]. The HTML writer treated API response strings as safe markup rather than as data, omitting calls to an HTML-escape routine before interpolation. The fix imports Python's html module and escapes values prior to writing them into the HTML document.
Attack Vector
An authenticated contributor to a Weblate project injects HTML or JavaScript into a translation, comment, or component field via the Weblate REST API. A second user runs wlc with the HTML output format against that project and opens the resulting file in a browser. The injected payload executes, allowing actions such as cookie theft, local file URI fetches, or pivoting to other web origins loaded in the same browser session.
# Patch excerpt from wlc/main.py - fix(output): properly escape generated HTML (#1327)
from __future__ import annotations
import csv
+import html
import json
import sys
from argparse import ArgumentParser
Source: GitHub commit 0f3e58f
Detection Methods for CVE-2026-42150
Indicators of Compromise
- HTML files produced by wlc containing raw <script>, <img onerror=...>, or javascript: URI fragments inside translation or component fields.
- Browser console errors or unexpected outbound network connections when opening wlc-generated HTML reports.
- Weblate translation entries containing HTML tags or event-handler attributes that have no functional purpose in localization strings.
Detection Strategies
- Inventory installed versions of the wlc package across developer workstations and CI runners; flag any installation below 2.0.0.
- Scan stored Weblate content via the REST API for HTML control characters and tag patterns in user-supplied fields.
- Inspect command-line history and CI pipeline logs for wlc invocations using the HTML output format.
Monitoring Recommendations
- Monitor Weblate API write operations for translation submissions containing HTML tags, especially <script>, <iframe>, or on*= attributes.
- Alert on browser launches of locally generated HTML reports from build agents that should not render untrusted content.
- Track package manager events (pip install wlc) to ensure pinning to wlc>=2.0.0 across environments.
How to Mitigate CVE-2026-42150
Immediate Actions Required
- Upgrade wlc to version 2.0.0 or later on all systems that consume Weblate API output.
- Audit existing wlc-generated HTML reports and re-render them after upgrading.
- Review Weblate projects for stored payloads containing HTML or JavaScript in translation fields.
Patch Information
The fix is delivered in wlc2.0.0, which adds HTML escaping to the output writer. The change is implemented in pull request WeblateOrg/wlc#1327 and commit 0f3e58f6d7457b05d48ef40f579a172c4c8b8469. Full details are documented in the GitHub Security Advisory GHSA-gx2m-mcc2-r4p3 and the wlc 2.0.0 release notes.
Workarounds
- Avoid using the HTML output format in wlc; prefer JSON or CSV formats when running unpatched versions.
- Render wlc HTML output only in sandboxed browser profiles with JavaScript disabled until the upgrade is complete.
- Restrict Weblate contributor permissions and review translations for embedded markup before exporting reports.
# Upgrade wlc to the patched release
pip install --upgrade 'wlc>=2.0.0'
# Verify the installed version
wlc --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

