CVE-2026-42150
HTML Output Cross-Site Scripting Vulnerability in Weblate Command-Line Client
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | command_line_client | to 1.18 (inc) |
| weblate | command_line_client | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Weblate command-line client (wlc) prior to version 2.0.0 involves improper escaping of API response data embedded into HTML output. Specifically, the HTML output format embeds API data directly into HTML without escaping special characters, which allows an attacker to inject malicious HTML or JavaScript code. This leads to a cross-site scripting (XSS) vulnerability when the output is viewed in a browser.
The issue was fixed by introducing a new HTML escaping helper function that sanitizes keys and values before rendering them in HTML tables, preventing malicious input from being interpreted as executable code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of the user's browser when viewing the HTML output generated by the wlc client. This can lead to unauthorized actions such as stealing session tokens, redirecting users to malicious sites, or performing actions on behalf of the user.
The attack requires user interaction and privileges, and the attack complexity is high. The vulnerability affects only the HTML output format, which is opt-in, but if exploited, it can compromise the confidentiality, integrity, and availability of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the HTML output format of the Weblate command-line client (wlc) prior to version 2.0.0, where API response data is embedded into HTML without proper escaping, leading to cross-site scripting (XSS). Detection involves identifying usage of vulnerable wlc versions and checking if HTML output is generated and rendered in a browser.
Since the vulnerability is in the HTML output format of wlc, you can detect it by verifying the version of wlc installed on your system. Running the command `wlc --version` or `wlc -v` can help determine the version.
To detect potential exploitation or presence of malicious HTML output, you can search for HTML files generated by wlc that contain unescaped API response data. For example, using commands like `grep -r '<script>' /path/to/wlc/output` or scanning for suspicious HTML content in output directories.
There are no specific detection commands provided in the resources, but focusing on version checking and inspecting HTML output for unescaped or suspicious content is recommended.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Weblate command-line client (wlc) to version 2.0.0 or later, where the vulnerability has been patched by properly escaping HTML output.
If upgrading immediately is not possible, avoid using the HTML output format in wlc, as the vulnerability only affects this opt-in output mode.
Additionally, ensure that any HTML output generated by wlc is not rendered in a browser or exposed to users until the client is updated.
Review and apply any security advisories or patches provided by the Weblate project, as detailed in the GitHub security advisory and release notes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.