Ghostwire

CVE-2026-42150: wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc...

MEDIUM CVSS 5.5 Exploit Available

Published: May 8, 2026 | Last Modified: May 8, 2026

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

References

www.tenable.com/cve/CVE-2026-42150
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-42150
github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469
github.com/WeblateOrg/wlc/pull/1327
github.com/WeblateOrg/wlc/releases/tag/2.0.0
github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3