Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42150

CVE-2026-42150: Weblate Wlc XSS Vulnerability

CVE-2026-42150 is a cross-site scripting flaw in Weblate Wlc that embeds API response data into HTML without escaping. This article covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-42150 Overview

CVE-2026-42150 is a cross-site scripting (XSS) vulnerability in wlc, the Weblate command-line client that interacts with Weblate's REST API. Versions prior to 2.0.0 embed API response data into HTML output without escaping. When a user renders the generated HTML in a browser, attacker-controlled content from the API response executes as script. The issue is tracked under [CWE-79] and was fixed in wlc version 2.0.0.

Critical Impact

Unescaped API response data in wlc HTML output enables script execution in the rendering browser, potentially exposing user session context and stored credentials.

Affected Products

  • Weblate wlc versions prior to 2.0.0
  • Weblate wlc command-line client (Python package)
  • Tooling and pipelines consuming wlc HTML output in a browser

Discovery Timeline

  • 2026-05-08 - CVE-2026-42150 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-42150

Vulnerability Analysis

The wlc client supports multiple output formats, including HTML, for rendering Weblate REST API responses. In versions prior to 2.0.0, the HTML output writer in wlc/main.py concatenates API response fields directly into HTML markup. The writer does not apply HTML entity escaping to attacker-influenceable fields such as translation strings, component names, or project metadata returned by the Weblate API.

When the resulting HTML file is opened in a browser, any embedded <script> tags or HTML event handlers execute in the browser's context. Exploitation requires that an attacker can influence content stored in a Weblate instance, that a user with wlc produces HTML output covering that content, and that the user renders the file. The scope change reflects script execution crossing from the file context into the browser security boundary.

Root Cause

The root cause is missing output encoding [CWE-79]. The HTML writer treated API response strings as safe markup rather than as data, omitting calls to an HTML-escape routine before interpolation. The fix imports Python's html module and escapes values prior to writing them into the HTML document.

Attack Vector

An authenticated contributor to a Weblate project injects HTML or JavaScript into a translation, comment, or component field via the Weblate REST API. A second user runs wlc with the HTML output format against that project and opens the resulting file in a browser. The injected payload executes, allowing actions such as cookie theft, local file URI fetches, or pivoting to other web origins loaded in the same browser session.

python
# Patch excerpt from wlc/main.py - fix(output): properly escape generated HTML (#1327)
 from __future__ import annotations

 import csv
+import html
 import json
 import sys
 from argparse import ArgumentParser

Source: GitHub commit 0f3e58f

Detection Methods for CVE-2026-42150

Indicators of Compromise

  • HTML files produced by wlc containing raw <script>, <img onerror=...>, or javascript: URI fragments inside translation or component fields.
  • Browser console errors or unexpected outbound network connections when opening wlc-generated HTML reports.
  • Weblate translation entries containing HTML tags or event-handler attributes that have no functional purpose in localization strings.

Detection Strategies

  • Inventory installed versions of the wlc package across developer workstations and CI runners; flag any installation below 2.0.0.
  • Scan stored Weblate content via the REST API for HTML control characters and tag patterns in user-supplied fields.
  • Inspect command-line history and CI pipeline logs for wlc invocations using the HTML output format.

Monitoring Recommendations

  • Monitor Weblate API write operations for translation submissions containing HTML tags, especially <script>, <iframe>, or on*= attributes.
  • Alert on browser launches of locally generated HTML reports from build agents that should not render untrusted content.
  • Track package manager events (pip install wlc) to ensure pinning to wlc>=2.0.0 across environments.

How to Mitigate CVE-2026-42150

Immediate Actions Required

  • Upgrade wlc to version 2.0.0 or later on all systems that consume Weblate API output.
  • Audit existing wlc-generated HTML reports and re-render them after upgrading.
  • Review Weblate projects for stored payloads containing HTML or JavaScript in translation fields.

Patch Information

The fix is delivered in wlc2.0.0, which adds HTML escaping to the output writer. The change is implemented in pull request WeblateOrg/wlc#1327 and commit 0f3e58f6d7457b05d48ef40f579a172c4c8b8469. Full details are documented in the GitHub Security Advisory GHSA-gx2m-mcc2-r4p3 and the wlc 2.0.0 release notes.

Workarounds

  • Avoid using the HTML output format in wlc; prefer JSON or CSV formats when running unpatched versions.
  • Render wlc HTML output only in sandboxed browser profiles with JavaScript disabled until the upgrade is complete.
  • Restrict Weblate contributor permissions and review translations for embedded markup before exporting reports.
bash
# Upgrade wlc to the patched release
pip install --upgrade 'wlc>=2.0.0'

# Verify the installed version
wlc --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.