Search
Find a vulnerability
Search criteria
8 vulnerabilities found for wlc by WeblateOrg
CVE-2026-42150 (GCVE-0-2026-42150)
Vulnerability from nvd – Published: 2026-05-08 03:23 – Updated: 2026-05-08 21:28
VLAI
Title
wlc: print_html outputs API data without HTML escaping, enabling stored XSS
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1327 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/0f3e58f6… | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:32:14.516536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:28:38.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:23:12.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1327",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1327"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469"
},
{
"name": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0"
}
],
"source": {
"advisory": "GHSA-gx2m-mcc2-r4p3",
"discovery": "UNKNOWN"
},
"title": "wlc: print_html outputs API data without HTML escaping, enabling stored XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42150",
"datePublished": "2026-05-08T03:23:12.234Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-08T21:28:38.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23535 (GCVE-0-2026-23535)
Vulnerability from nvd – Published: 2026-01-16 19:08 – Updated: 2026-01-16 19:21
VLAI
Title
wlc Path traversal: Unsanitized API slugs in download command
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1128 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/216e691c… | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T19:20:47.706307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T19:21:22.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T19:08:24.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1128",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1128"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f"
},
{
"name": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"
}
],
"source": {
"advisory": "GHSA-mmwx-79f6-67jg",
"discovery": "UNKNOWN"
},
"title": "wlc Path traversal: Unsanitized API slugs in download command"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23535",
"datePublished": "2026-01-16T19:08:24.882Z",
"dateReserved": "2026-01-13T18:22:43.982Z",
"dateUpdated": "2026-01-16T19:21:22.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22251 (GCVE-0-2026-22251)
Vulnerability from nvd – Published: 2026-01-12 17:55 – Updated: 2026-01-12 18:43
VLAI
Title
wlc may leak API keys due to an insecure API key configuration
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1098 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/aafdb507… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:43:08.912343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:43:53.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T17:55:09.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1098",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1098"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
}
],
"source": {
"advisory": "GHSA-9rp8-h4g8-8766",
"discovery": "UNKNOWN"
},
"title": "wlc may leak API keys due to an insecure API key configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22251",
"datePublished": "2026-01-12T17:55:09.699Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-12T18:43:53.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22250 (GCVE-0-2026-22250)
Vulnerability from nvd – Published: 2026-01-12 17:52 – Updated: 2026-01-12 18:07
VLAI
Title
wlc can skip SSL verification
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1097 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/a513864e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:05:29.339306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:07:33.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T17:52:01.390Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1097"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"
}
],
"source": {
"advisory": "GHSA-2mmv-7rrp-g8xh",
"discovery": "UNKNOWN"
},
"title": "wlc can skip SSL verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22250",
"datePublished": "2026-01-12T17:52:01.390Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-12T18:07:33.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42150 (GCVE-0-2026-42150)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:23 – Updated: 2026-05-08 21:28
VLAI
Title
wlc: print_html outputs API data without HTML escaping, enabling stored XSS
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1327 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/0f3e58f6… | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 2.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:32:14.516536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:28:38.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:23:12.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1327",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1327"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469"
},
{
"name": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0"
}
],
"source": {
"advisory": "GHSA-gx2m-mcc2-r4p3",
"discovery": "UNKNOWN"
},
"title": "wlc: print_html outputs API data without HTML escaping, enabling stored XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42150",
"datePublished": "2026-05-08T03:23:12.234Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-08T21:28:38.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23535 (GCVE-0-2026-23535)
Vulnerability from cvelistv5 – Published: 2026-01-16 19:08 – Updated: 2026-01-16 19:21
VLAI
Title
wlc Path traversal: Unsanitized API slugs in download command
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1128 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/216e691c… | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T19:20:47.706307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T19:21:22.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T19:08:24.882Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1128",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1128"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f"
},
{
"name": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"
}
],
"source": {
"advisory": "GHSA-mmwx-79f6-67jg",
"discovery": "UNKNOWN"
},
"title": "wlc Path traversal: Unsanitized API slugs in download command"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23535",
"datePublished": "2026-01-16T19:08:24.882Z",
"dateReserved": "2026-01-13T18:22:43.982Z",
"dateUpdated": "2026-01-16T19:21:22.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22251 (GCVE-0-2026-22251)
Vulnerability from cvelistv5 – Published: 2026-01-12 17:55 – Updated: 2026-01-12 18:43
VLAI
Title
wlc may leak API keys due to an insecure API key configuration
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1098 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/aafdb507… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:43:08.912343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:43:53.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T17:55:09.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1098",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1098"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
}
],
"source": {
"advisory": "GHSA-9rp8-h4g8-8766",
"discovery": "UNKNOWN"
},
"title": "wlc may leak API keys due to an insecure API key configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22251",
"datePublished": "2026-01-12T17:55:09.699Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-12T18:43:53.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22250 (GCVE-0-2026-22250)
Vulnerability from cvelistv5 – Published: 2026-01-12 17:52 – Updated: 2026-01-12 18:07
VLAI
Title
wlc can skip SSL verification
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/WeblateOrg/wlc/security/adviso… | x_refsource_CONFIRM |
| https://github.com/WeblateOrg/wlc/pull/1097 | x_refsource_MISC |
| https://github.com/WeblateOrg/wlc/commit/a513864e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WeblateOrg | wlc |
Affected:
< 1.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:05:29.339306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:07:33.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wlc",
"vendor": "WeblateOrg",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T17:52:01.390Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"
},
{
"name": "https://github.com/WeblateOrg/wlc/pull/1097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/pull/1097"
},
{
"name": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"
}
],
"source": {
"advisory": "GHSA-2mmv-7rrp-g8xh",
"discovery": "UNKNOWN"
},
"title": "wlc can skip SSL verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22250",
"datePublished": "2026-01-12T17:52:01.390Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-01-12T18:07:33.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}