Search criteria

4 vulnerabilities found for wlc by WeblateOrg

CVE-2026-42150 (GCVE-0-2026-42150)

Vulnerability from cvelistv5 – Published: 2026-05-08 03:23 – Updated: 2026-05-08 21:28
VLAI?
Title
wlc: print_html outputs API data without HTML escaping, enabling stored XSS
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
WeblateOrg wlc Affected: < 2.0.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42150",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:32:14.516536Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:28:38.342Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wlc",
          "vendor": "WeblateOrg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T03:23:12.234Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/pull/1327",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/pull/1327"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/releases/tag/2.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gx2m-mcc2-r4p3",
        "discovery": "UNKNOWN"
      },
      "title": "wlc: print_html outputs API data without HTML escaping, enabling stored XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42150",
    "datePublished": "2026-05-08T03:23:12.234Z",
    "dateReserved": "2026-04-24T17:15:21.835Z",
    "dateUpdated": "2026-05-08T21:28:38.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23535 (GCVE-0-2026-23535)

Vulnerability from cvelistv5 – Published: 2026-01-16 19:08 – Updated: 2026-01-16 19:21
VLAI?
Title
wlc Path traversal: Unsanitized API slugs in download command
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
Impacted products
Vendor Product Version
WeblateOrg wlc Affected: < 1.17.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-16T19:20:47.706307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-16T19:21:22.629Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wlc",
          "vendor": "WeblateOrg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-16T19:08:24.882Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/pull/1128",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/pull/1128"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"
        }
      ],
      "source": {
        "advisory": "GHSA-mmwx-79f6-67jg",
        "discovery": "UNKNOWN"
      },
      "title": "wlc Path traversal: Unsanitized API slugs in download command"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23535",
    "datePublished": "2026-01-16T19:08:24.882Z",
    "dateReserved": "2026-01-13T18:22:43.982Z",
    "dateUpdated": "2026-01-16T19:21:22.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22251 (GCVE-0-2026-22251)

Vulnerability from cvelistv5 – Published: 2026-01-12 17:55 – Updated: 2026-01-12 18:43
VLAI?
Title
wlc may leak API keys due to an insecure API key configuration
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
Impacted products
Vendor Product Version
WeblateOrg wlc Affected: < 1.17.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22251",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T18:43:08.912343Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T18:43:53.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wlc",
          "vendor": "WeblateOrg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T17:55:09.699Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/pull/1098",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/pull/1098"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
        }
      ],
      "source": {
        "advisory": "GHSA-9rp8-h4g8-8766",
        "discovery": "UNKNOWN"
      },
      "title": "wlc may leak API keys due to an insecure API key configuration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22251",
    "datePublished": "2026-01-12T17:55:09.699Z",
    "dateReserved": "2026-01-07T05:19:12.921Z",
    "dateUpdated": "2026-01-12T18:43:53.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22250 (GCVE-0-2026-22250)

Vulnerability from cvelistv5 – Published: 2026-01-12 17:52 – Updated: 2026-01-12 18:07
VLAI?
Title
wlc can skip SSL verification
Summary
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
CWE
  • CWE-295 - Improper Certificate Validation
Assigner
Impacted products
Vendor Product Version
WeblateOrg wlc Affected: < 1.17.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22250",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T18:05:29.339306Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T18:07:33.376Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wlc",
          "vendor": "WeblateOrg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "wlc is a Weblate command-line client using Weblate\u0027s REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T17:52:01.390Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/pull/1097",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/pull/1097"
        },
        {
          "name": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"
        }
      ],
      "source": {
        "advisory": "GHSA-2mmv-7rrp-g8xh",
        "discovery": "UNKNOWN"
      },
      "title": "wlc can skip SSL verification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22250",
    "datePublished": "2026-01-12T17:52:01.390Z",
    "dateReserved": "2026-01-07T05:19:12.921Z",
    "dateUpdated": "2026-01-12T18:07:33.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}